CoManix

Privacy Policy

Effective Date: February 19, 2026 | Last Updated: May 27, 2026

1. Introduction

CoManix, Inc. ("CoManix," "we," "us," or "our") operates the CoManix platform (the "Platform"), an AI-powered, HIPAA-compliant surgical co-management compliance platform for ophthalmology. The Platform connects treating providers and referring providers — including optometrists (ODs) and ophthalmologists or other physicians (MD/DOs) — across separate offices to facilitate referrals, consent tracking, e-signatures, and care coordination for surgical co-management.

This Privacy Policy describes how we collect, use, disclose, and protect information — including Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH") — when you use the Platform.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must not use the Platform.

2. Scope and Applicability

This Privacy Policy applies to:

  • All users of the Platform, including treating providers, referring providers, and administrative staff ("Users")
  • Patients whose information is processed through the Platform ("Patients")
  • All information collected through the Platform, including via web applications, mobile applications, and APIs

CoManix operates as a Business Associate under HIPAA when processing PHI on behalf of Covered Entities (the healthcare practices that use the Platform). Our obligations regarding PHI are further governed by Business Associate Agreements ("BAAs") executed with each Covered Entity, as required by 45 C.F.R. § 164.502(e) and 45 C.F.R. § 164.504(e).

To the extent there is any conflict between this Privacy Policy and a BAA, the terms of the BAA shall control with respect to PHI.

3. Information We Collect

3.1 Protected Health Information (PHI)

In connection with surgical co-management activities, we process the following categories of PHI as defined under 45 C.F.R. § 160.103:

  • Patient Identifiers: First name, last name, middle name, prefix, suffix, date of birth, email address, and phone number
  • Clinical Information: Referral diagnosis, referral reason (e.g., Cataract, YAG, Glaucoma, LASIK), urgency level, and co-management status
  • Consent Records: Consent documents, e-signatures (patient, witness, treating provider, and referring provider), and consent status
  • Faxed Visit Reports: Documents received via fax that are processed by our AI agents to extract patient data and populate co-management forms

3.2 User Account Information

When Users register for and use the Platform, we collect:

  • Registration Data: Name, email address, phone number, professional credentials (e.g., OD, MD, DO), and office affiliation
  • Authentication Credentials: Email and password (passwords are managed and stored by our cloud-based identity provider; CoManix does not have access to plaintext passwords)
  • Role and Membership Data: Office memberships, assigned roles, and associated permissions

3.3 Automatically Collected Information

When you access the Platform, certain technical information may be collected automatically:

  • Server Logs: IP addresses, browser type, operating system, referring URLs, and timestamps of access (no PHI is included in server logs)
  • Audit Trail Data: Records of every access to PHI, including the identity of the User, the action performed, and a timestamp (per HIPAA § 164.312(b))
  • Marketing Website Analytics: On our public marketing website (comanix.com), we use AWS CloudWatch RUM — a first-party analytics service operated entirely within our own AWS environment, not a third-party analytics vendor — to understand visitor traffic and improve the site. It collects: page views and sessions; country-level geographic region; browser and device type; the referring website; the page paths visited; basic page-load performance metrics; and interaction events such as clicks on calls-to-action and expansions of FAQ entries. To measure sessions and returning visitors it stores a randomly generated session and visitor identifier in your browser using cookies and localStorage. This analytics runs only on the public marketing website and never collects PHI, form contents, names, or email addresses — only the categorical, non-identifying data points listed here. The authenticated Platform application does not run these analytics.

We do not use advertising cookies, cross-site tracking, or any third-party analytics service. If our analytics practices change materially, this Policy will be updated accordingly and Users will be notified.

3.4 Information We Do Not Collect

  • We do not store PHI in client-side storage mechanisms such as localStorage, sessionStorage, cookies, or URL parameters
  • We do not collect financial or payment information (e.g., credit card numbers, bank account details)
  • We do not collect Social Security Numbers

4. How We Use Information

4.1 PHI Usage

We use PHI strictly as permitted under HIPAA for the following purposes, and in accordance with our BAAs:

  • Treatment Operations: Facilitating referrals between treating providers and referring providers, coordinating pre- and post-operative care, and enabling communication between healthcare providers involved in a patient's surgical co-management (45 C.F.R. § 164.506(c))
  • Consent Management: Generating, sending, tracking, and storing consent documents and collecting e-signatures from patients, witnesses, treating providers, and referring providers
  • AI-Assisted Document Processing: Using AI agents under contract with HIPAA-eligible providers to extract patient data from faxed visit reports and populate compliant co-management forms, reducing manual data entry and improving accuracy
  • Compliance and Audit: Maintaining an immutable audit trail of all PHI access and modifications as required by HIPAA § 164.312(b)

4.2 Non-PHI Usage

We use non-PHI information for the following purposes:

  • Account Management: Creating, maintaining, and administering User accounts, roles, and permissions
  • Platform Operations: Monitoring system performance, ensuring availability, and maintaining security
  • Communications: Sending system notifications, invitation emails, and service-related updates
  • Legal Compliance: Responding to legal process, enforcing our Terms of Service, and complying with applicable laws

4.3 SMS / Text Message Communications

When Users elect to receive SMS messages — either by selecting text message as their multi-factor authentication method or by enabling SMS account notifications — the following terms apply:

  • Program Name: CoManix Account Verification & Notifications
  • Message Types: One-time passcodes for sign-in verification, and transactional account notifications (e.g., security alerts, referral or consent status updates). CoManix does not send marketing or promotional SMS.
  • Message Frequency: Message frequency varies based on account activity (typically one message per sign-in attempt for 2FA, and event-driven for notifications).
  • Costs: Message and data rates may apply, as set by your mobile carrier.
  • Opt-Out: You can opt out at any time by replying STOP to any message, or by disabling the SMS option in your CoManix account settings. After opting out, you may receive a single confirmation message.
  • Help: For assistance, reply HELP to any message or contact support@comanix.com.
  • Carriers: Supported carriers include AT&T, T-Mobile, Verizon Wireless, Sprint, and others. Carriers are not liable for delayed or undelivered messages.
  • Mobile Opt-In Data Sharing: Mobile phone numbers and SMS opt-in information are never shared with third parties or affiliates for marketing or promotional purposes. SMS opt-in data is used solely to deliver the messages you have requested.

PHI is not transmitted via SMS. SMS messages contain only authentication codes and non-PHI operational notifications.

4.4 Prohibited Uses

CoManix does not and will never:

  • Sell, rent, or lease PHI or personal data to any third party
  • Use PHI for marketing, advertising, or promotional purposes
  • Monetize patient data in any form, including de-identified or aggregated data
  • Use PHI to train general-purpose AI or machine learning models (AI processing is limited to extracting data from documents submitted by authorized Users for immediate care coordination purposes only)
  • Share PHI with any party that has not executed a BAA with CoManix

5. How We Protect Information

CoManix implements comprehensive administrative, technical, and physical safeguards as required by the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) to protect the confidentiality, integrity, and availability of PHI.

5.1 Technical Safeguards

  • Encryption in Transit: All data transmitted between Users and the Platform is encrypted using TLS (Transport Layer Security) as required by 45 C.F.R. § 164.312(e)(1)
  • Encryption at Rest: All PHI stored in our cloud database and document storage is encrypted at rest using industry-standard encryption, satisfying 45 C.F.R. § 164.312(a)(2)(iv)
  • Access Controls: Role-based access control (RBAC) with office-level isolation ensures Users can only access data associated with their assigned offices, enforcing the Minimum Necessary standard under 45 C.F.R. § 164.502(b)
  • Authentication: User authentication is managed through a HIPAA-eligible cloud-based identity provider with enforced password complexity requirements. Session timeouts are enforced via short-lived authentication tokens to comply with 45 C.F.R. § 164.312(a)(2)(iii)
  • Audit Controls: An immutable, append-only audit trail logs every access to PHI, including the identity of the User, the action performed, and a timestamp, satisfying 45 C.F.R. § 164.312(b)
  • Rate Limiting: Sensitive endpoints are rate-limited to prevent brute-force attacks and abuse
  • Input Validation: All inputs are validated and sanitized using schema-based validation to prevent injection attacks. All database queries use parameterized statements.
  • Secure Document Access: Consent documents are accessible only via short-lived, time-limited authenticated links to prevent unauthorized access or in-browser rendering
  • Webhook Security: Webhook endpoints use cryptographic signature verification to prevent tampering

5.2 Administrative Safeguards

  • Access to PHI is limited to authorized personnel on a need-to-know basis
  • Business Associate Agreements are executed with all third-party service providers that have access to PHI
  • PHI is never included in application logs, error messages, or client-facing error responses
  • API error responses are designed to prevent enumeration of PHI records

5.3 Infrastructure Security

The Platform is hosted on a HIPAA-eligible cloud infrastructure provider in United States regions, under an executed BAA. All PHI remains within the continental United States. Our cloud infrastructure provider maintains SOC 1/2/3, ISO 27001, and HIPAA compliance certifications.

6. Data Retention

In compliance with HIPAA data retention requirements (45 C.F.R. § 164.530(j)), CoManix maintains the following retention practices:

  • PHI and Related Records: All patient data, referral records, consent documents, and associated PHI are retained for a minimum of six (6) years from the date of creation or the date when the record was last in effect, whichever is later
  • Audit Logs: Audit trail records are retained indefinitely and are immutable (append-only). They cannot be modified or deleted
  • Retention on Deletion: Data marked for deletion within the Platform is excluded from normal use but retained for the applicable retention period before permanent deletion. The deletion event itself (timestamp, requestor, and reason) is recorded in the audit trail
  • Account Data: User account information is retained for as long as the account is active and for a reasonable period thereafter to comply with legal and regulatory obligations

State laws may impose longer retention periods. CoManix will comply with the longest applicable retention requirement.

7. Disclosure of Information

We may disclose information in the following circumstances:

7.1 Permitted Disclosures Under HIPAA

  • Treatment, Payment, and Health Care Operations: PHI may be disclosed to healthcare providers involved in the patient's surgical co-management as permitted under 45 C.F.R. § 164.506
  • As Required by Law: We may disclose PHI when required by federal, state, or local law, including court orders, subpoenas, or legal proceedings (45 C.F.R. § 164.512(a))
  • Public Health Activities: As permitted under 45 C.F.R. § 164.512(b) for public health purposes
  • Health Oversight Activities: To health oversight agencies for activities authorized by law, including audits and investigations (45 C.F.R. § 164.512(d))
  • To Avert a Serious Threat: When necessary to prevent or lessen a serious and imminent threat to health or safety (45 C.F.R. § 164.512(j))

7.2 Business Associates and Service Providers

We engage Business Associates and sub-processors to provide certain services that may involve access to PHI, including cloud infrastructure, e-signature services, and AI-assisted document processing. Each Business Associate has executed a BAA with CoManix as required by 45 C.F.R. § 164.502(e), and all PHI is processed within the United States.

A current list of Business Associates is provided as part of the BAA package. To request our BAA, see /baa.

We do not share PHI with any third party that has not executed a BAA with CoManix.

7.3 Disclosures We Do Not Make

  • We do not sell PHI or personal information to any third party under any circumstances
  • We do not share information with advertisers, data brokers, or marketing companies
  • We do not disclose PHI for purposes unrelated to surgical co-management or as otherwise permitted by HIPAA

8. AI-Assisted Processing

CoManix uses artificial intelligence to enhance the efficiency and accuracy of surgical co-management workflows. It is important for Users and Patients to understand how AI is used:

  • Purpose: AI agents process faxed visit reports to extract patient data (names, dates of birth, clinical findings) and auto-populate co-management compliance forms, reducing manual data entry burden on healthcare staff
  • Technology: AI processing is performed by HIPAA-eligible AI/ML providers under executed BAA, performing optical character recognition and data extraction from document images. The current provider is identified in the BAA package available to customers.
  • Data Handling: Documents submitted for AI processing are transmitted securely via TLS. PHI extracted by AI is stored in the same encrypted database as all other PHI on the Platform, subject to the same access controls, audit logging, and retention policies
  • No Model Training: PHI processed through the Platform is not used to train, fine-tune, or improve any general-purpose AI or machine learning models. Processing is performed on a transactional basis for the sole purpose of immediate care coordination
  • Human Oversight: AI-extracted data is presented to authorized Users for review and confirmation before being finalized in the system. Users are responsible for verifying the accuracy of AI-extracted information

9. User Rights and Patient Rights

9.1 HIPAA Patient Rights

Patients whose PHI is processed through the Platform have the following rights under HIPAA. Because CoManix operates as a Business Associate, these requests should generally be directed to the Covered Entity (the healthcare practice) that created the referral. CoManix will assist Covered Entities in fulfilling these requests as required by our BAAs:

  • Right of Access (45 C.F.R. § 164.524): The right to inspect and obtain a copy of their PHI maintained in the Platform
  • Right to Amendment (45 C.F.R. § 164.526): The right to request amendment of their PHI if they believe it is inaccurate or incomplete
  • Right to an Accounting of Disclosures (45 C.F.R. § 164.528): The right to receive an accounting of certain disclosures of their PHI. Our immutable audit trail facilitates the generation of such accountings
  • Right to Request Restrictions (45 C.F.R. § 164.522): The right to request restrictions on certain uses or disclosures of their PHI
  • Right to Confidential Communications (45 C.F.R. § 164.522(b)): The right to request that communications regarding their PHI be made by alternative means or at alternative locations
  • Right to Receive Notice of a Breach (45 C.F.R. § 164.404): The right to be notified in the event of a breach of unsecured PHI

9.2 User Account Rights

Platform Users have the right to:

  • Access and update their account profile information at any time
  • Request deletion of their account (subject to applicable data retention requirements)
  • Receive notification of material changes to this Privacy Policy

9.3 State Privacy Rights

Depending on your state of residence, you may have additional privacy rights under state laws such as the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), or similar legislation. However, to the extent that the information at issue constitutes PHI governed by HIPAA, it is generally exempt from these state consumer privacy laws. For non-PHI personal information, we will honor applicable state privacy rights. Contact us at privacy@comanix.com to exercise any applicable rights.

10. Breach Notification

In the event of a breach of unsecured PHI, CoManix will comply with the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–414) and the HITECH Act § 13402:

  • Notification to Covered Entities: CoManix will notify affected Covered Entities without unreasonable delay, and in no case later than sixty (60) days after discovery of the breach, as required by 45 C.F.R. § 164.410
  • Notification to Individuals: The applicable Covered Entity is responsible for notifying affected individuals. CoManix will provide all information necessary to facilitate such notification
  • Notification to HHS: Breaches affecting 500 or more individuals will be reported to the Secretary of Health and Human Services without unreasonable delay. Breaches affecting fewer than 500 individuals will be reported annually, as required by 45 C.F.R. § 164.408
  • Documentation: CoManix will document all breach investigations, risk assessments, and notifications in accordance with 45 C.F.R. § 164.414(b)

11. Third-Party Services and Links

The Platform may contain links to third-party websites or services that are not operated by CoManix. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

Our use of third-party services that process PHI is governed by BAAs as described in Section 7.2. We conduct due diligence on all third-party service providers that may have access to PHI to ensure they maintain appropriate security standards.

12. Children's Privacy

The Platform is designed for use by licensed healthcare professionals and their authorized staff. The Platform is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 in their capacity as Users of the Platform.

However, Patient PHI processed through the Platform may include information about minor patients when such patients are referred for surgical co-management by their healthcare providers. The processing of minor patient PHI is governed by HIPAA, applicable state laws regarding minors' health information, and the relevant consent and authorization processes managed by the Covered Entity.

If you believe that we have inadvertently collected personal information from a child under 13 outside of the HIPAA-governed context described above, please contact us immediately at privacy@comanix.com.

13. International Data Transfers

The Platform is hosted in the United States on cloud infrastructure located in US regions. All PHI is stored and processed within the continental United States. We do not transfer PHI outside of the United States.

If you access the Platform from outside the United States, you understand and consent to the transfer of your information to the United States, where data protection laws may differ from those in your jurisdiction.

14. Changes to This Privacy Policy

CoManix reserves the right to update or modify this Privacy Policy at any time. When we make material changes:

  • We will update the "Last Updated" date at the top of this page
  • We will notify registered Users via email or through the Platform of material changes
  • For changes affecting the use or disclosure of PHI, we will provide at least thirty (30) days' advance notice before the changes take effect

Continued use of the Platform after any modification to this Privacy Policy constitutes acceptance of the modified terms.

15. Governing Law

This Privacy Policy is governed by HIPAA, the HITECH Act, and applicable federal and state laws of the United States. To the extent that state privacy laws provide greater protections than those set forth herein, we will comply with the more protective standard.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy, our privacy practices, or your rights, please contact us:

CoManix, Inc.
Attn: Privacy Officer
Email: privacy@comanix.com

To report a potential security incident or data breach involving PHI, please contact privacy@comanix.com immediately. Include as much detail as possible about the nature of the incident.