BrilLiquid LLC — BRILL.health Privacy Policy

Effective Date: [TBD] (Published v4.1 — 2026-05-10)

About this document

This is the plain-English Privacy Policy for BRILL.health, the patient-facing health platform operated by BrilLiquid LLC. We've written it to be readable — not dense legalese — so you can actually understand what happens with your information.

A more detailed counsel-reviewed version of this policy is maintained internally and is available on request to counsel, regulators, and sophisticated auditors. Substantive commitments are identical between the two; the detailed version just includes additional regulatory citations and technical implementation specifics.

1. Our philosophy

BRILL.health is built around a simple idea: your health records belong to you and live with you, not in a Brilliquid database. We act as a relay between you and the providers you choose to share with — not a data lake that collects and aggregates your records.

Everyone is welcome. We don't condition platform access on citizenship, residency, or documentation status. A specific feature — Direct Secure Messaging with licensed healthcare providers — requires stronger identity verification because federal rules require it; if you don't complete that verification, you still have access to every other platform feature. You can upgrade whenever you're ready.

We never collect your country of birth or immigration status.

2. Where your data lives

Your clinical records and health history are designed to live on your personal device, encrypted.
Some data types are too large to fit practically on a phone (for example, diagnostic imaging like CT or MRI scans, which can be gigabytes per study). For those, we maintain a reference (a pointer you control) to the originating imaging system, or store encrypted data in our cloud with your own encryption key. You choose the approach at onboarding.
Data in transit is protected by industry-standard encryption. Data at rest is encrypted.
If you lose access to your device and its backups, you may lose access to records we cannot decrypt. Before enabling device-based encryption for your account, we'll give you plain-language backup guidance.

We facilitate sharing only through channels you choose.

3.1 Three distinct roles for the people in your care circle

HIPAA recognizes three different kinds of people involved in your care, each with different legal standing. BRILL.health lets you designate any, all, or none of these — separately:

Emergency Contact — someone to reach in an emergency. They don't get access to your records and can't make decisions for you.
Personal Representative — someone you've formally authorized (through a healthcare power of attorney, advance directive, or similar legal document) to make decisions on your behalf when you can't. This role has the full legal authority under HIPAA.
Records-Access Proxy — someone you want to receive copies of your records. No decision-making authority.

You can designate the same person for multiple roles, different people for different roles, or nobody at all. You can change these at any time.

3.2 Short-lived access codes

For times when you need to share records with a provider who isn't on a secure health-network (a specialist you're seeing once, a caregiver without a provider account), BRILL.health can generate a short-lived code (typically valid 6 hours) that gives the recipient time-limited read-only access. You can revoke the code anytime.

3.3 Brilliquid as your delivery agent (optional)

If you'd prefer, you can authorize us to transmit records to providers on your behalf. Records are clearly attributed to you as their author and originator. This service requires your explicit consent and is revocable any time.

3.4 Text messages (SMS)

If you invite a care-team member by text, we send only brief notifications — never any health information. Reply STOP to opt out.

Each time you share an item from your record — your Summary, a result PDF, a note, a slice of your claims history — BRILL.health records two things in your transaction history:

The grant. What you shared, with whom, when, and under which authenticated session. This is the consent record. Revoking it adds a new entry; we never erase the original.
The delivery. That it actually went out, with the secure-messaging envelope ID linking back to the grant.

You can review both at any time. We can never edit either record after the fact — only append new ones (revocations, follow-up sends).

3.6 Your annotations on your records

Your BRILL.health record is a patient-curated record — we hold the records that come in from your providers, your insurer, your pharmacy, and your own uploads, and we let you add your own context alongside them. We don't claim to be the source of truth about your health (that's not a role we should take). What we claim is more honest: we can prove who originated each record, when, and how it reached us — and we can prove that an annotation you made under your verified BRILL.health session is yours.

Your record has three layers, each clearly attributed:

Original records from your providers, insurer, pharmacy, etc. We never modify these. If a provider sends a corrected version, the new version arrives as a separate record; the old one is kept for the audit trail.
Curated context we add — for example, a screening schedule from USPSTF, a surveillance reference from NCCN, a clean visualization of your lab trend over time. These are clearly labeled as BRILL.health-attributed and never modify the original.
Your annotations. You can add context — clarifications, corrections, missing details you know to be true, questions to raise with your care team, follow-up notes after a visit. Each annotation is signed by your verified session, timestamped, and append-only — if you change one, the prior version is preserved in the audit trail and the new one supersedes it forward; nothing is silently overwritten.

Your annotations may also come from your care team. A spouse or adult-child caregiver may text you a context note that you accept as an annotation. A clinician on your care team may add a clarification (which carries their professional credentials as the attribution). A sibling may share family-history context. In every case, the original suggester is attributed alongside your acceptance.

When you share an annotated record with a clinician, your annotations travel with it — clearly labeled as yours, alongside the original. The clinician doesn't have to agree with you; they just have to trust that you really made the annotation.

Annotations don't replace original records. They don't constitute medical advice. And they don't bind any provider's care decisions. They are your contribution to your record — preserved with the same care as everything else.

Every consent you give on BRILL.health — for our Terms of Service, for sharing a record with a care-team member, for an advance directive, for research participation, or for anything else — is recorded in a structured form (FHIR R4 Consent, the standard your providers, insurers, and electronic health records already use). What this means for you:

One ledger for every consent. All your consents — granted, revoked, or pending — live in one place. You can review the complete list any time.
Each consent is independently revocable. Never bundled. Granting one doesn't commit you to another. Revoking creates a new entry; we never erase the original.
Authority instruments are the same shape. An advance directive, a healthcare power of attorney, a notary-witnessed delegation — these are all FHIR Consent resources with an activation predicate that controls when they take effect ("on incapacity," "on death").
Portable. Because your consents are in a standard form, you can export them and share them with another platform, healthcare provider, or family member acting under authority you've granted.
Default on revocation: tombstone. When you revoke a consent that authorized data sharing, the data is kept as ciphertext — inaccessible until you re-grant. You can also choose to delete or to retain accessibly. The choice is yours; the default is the most privacy-preserving.

4. Connecting to other services

BRILL.health can bring data into your record from several places:

Your hospital's patient portal — direct connection via SMART on FHIR (the standard most US hospitals support)
Your health insurer's Patient Access feature — direct connection to your claims, EOBs, and (where applicable) clinical data
Your pharmacy or PBM — prescription history and cost transparency
Health devices and wearables — through manufacturers like Withings, Fitbit, Garmin, Oura, Dexcom, Omron (web-accessible vendor clouds)
Files you upload yourself — including C-CDA exports, FHIR Bundles, lab PDFs, payer claims downloads, and exports from Apple Health or Google Health Connect

About Apple Health and Google Health Connect

BRILL.health runs as a web app you add to your phone's home screen — not an iPhone app from the App Store or an Android app from Google Play. That technical choice has a consequence you should know:

We do not connect directly to Apple Health (HealthKit) or Google Health Connect. Web apps can't read or write those services. So we don't sync your health data automatically from either of them.

What we do support: you can upload exports from Apple Health or Google Health Connect to BRILL.health, and we'll preserve where the data came from. Apple Health, in particular, is already connected to records from hundreds of hospitals, clinics, and pharmacies via Apple Health Records. If you export your Apple Health data and upload the export file to BRILL.health, we'll parse the records and tag each one with its full source chain — e.g., this lab result came from Hospital X via Apple Health Records, then via your Apple Health export, on the date you uploaded. Same pattern for Google Health Connect.

Apple's and Google's rules on health data still apply to us when you upload an export. Even though we don't have a live connection to either store:

We never use HealthKit- or Health-Connect-derived data for advertising.
We never sell it to advertising platforms, data brokers, or information resellers.
We share HealthKit-derived data with a third party only with your express permission, and even then only if that third party also provides a health or fitness service to you. For research, we share only with your specific research consent.

If we ever release a native iPhone or Android app — none is currently planned — direct sync could become possible. We'll tell you well in advance.

We will never build integrations whose primary purpose is monetizing your health data through advertising or resale.

When your insurer's data covers other people on your plan

When you connect to your insurer's Patient Access API, or when you download your claims file from their member portal, your insurer's system may return claims for everyone on your plan — your spouse, dependents, anyone else covered. That's how US insurance APIs are designed.

BRILL.health partitions this data by individual. We identify you as the policyholder using the structured cues your insurer provides (typically a "(Self)" tag next to your name, or your patient identifier in the API response) and store only your claims in your record. Anything belonging to other plan members is shown to you as a discreet count — "your plan also covers N other member(s)" — but never merged into your record, never shown alongside your claims, and never available for you to share with your care team.

If a household member wants to see their claims on BRILL.health, they sign up for their own account, verify their own identity, and connect to the insurer themselves. We never auto-merge another adult's record into yours.

The exceptions are formal: minors and incapacitated adults for whom you hold documented authority (parental rights, healthcare power of attorney, legal guardianship), and HIPAA Personal Representatives acting on someone else's behalf. In those cases your access flows from the underlying legal document — not from being on the same insurance plan.

5. Research and clinical trials

You may choose to contribute de-identified data to research. Participation is entirely optional and requires your affirmative consent for each study. You may receive financial rewards for participation in qualifying programs.

What you should understand before consenting

De-identification reduces privacy risk but doesn't eliminate it:

Re-identification is possible, though uncommon. A bad actor with partial information about you could, in theory, cross-reference published research results to determine that you participated in a study and learn related information about you.
Breach risk exists. We maintain strong security, but no system is perfect.
If your contribution includes genetic data, a breach could implicate biological relatives who share genetic material with you. You may want to consider informing relatives.
Unforeseeable risks. New techniques or datasets could introduce risks we can't currently anticipate. We'll update this disclosure as our understanding evolves.

Changing your mind

Revocation takes effect within 30 days (often faster). It stops future uses of your data but can't reverse research already completed or un-publish results already published.

Declining research doesn't affect your access to any other BRILL.health feature.

6. Security

We use industry-standard protections:

Encryption of your data in transit and at rest
Multi-factor authentication (Passkeys preferred, TOTP authenticator apps as a fallback)
Role-based access with least-privilege principles
Audit logging of administrative actions, with minimization (see §11)
Business Associate Agreements with all sub-processors that handle Protected Health Information
Regular internal security review

Our target architecture makes encryption keys device-held so our servers never have the ability to decrypt your content. We're implementing this in phases; the current phase uses HIPAA-acceptable server-side encryption.

7. How long we keep things

We retain only the minimum necessary to run the platform and meet legal requirements.

Data type	Retention
Your account profile	Until you close your account
Identity verification records (if you enable Direct Secure Messaging)	As required by applicable rules
Message envelope metadata (addresses, timestamps, delivery receipts)	As required by audit rules
Message content (encrypted)	Short-lived after delivery to your device
Transaction and audit logs	As required by applicable rules
Administrative access logs	90 days
AI-service inputs	Not currently applicable — no AI features are in production

When you close your account, we delete platform account data except what legal retention rules require us to keep. Your records on your device remain yours.

8. What we collect

The minimum we need for any service:

Your name
Your date of birth
A way to contact you (email or phone)
A password hash (never the password itself)

Optional additions — you choose when or whether:

Social Security Number or ITIN (enables certain record-pulls from providers)
Home address (enables location-aware features)
Insurance card data (enables pulls from your insurer)
Government-issued ID (enables Direct Secure Messaging)
Citizenship (used only for jurisdictional routing if you provide it)

Platform-operation data we collect:

Identity-verification results from our verification partner (structured data; not photos of your ID after verification completes)
Message metadata (to route and audit)
Browser/device type (for security and data provenance)
Audit logs

What we never collect:

Country of birth
Immigration status
Proxies for either (visa history, countries-lived-in, etc.)

If we ever changed any of these commitments, we'd notify you in advance.

9. What we never do

We never sell your information to anyone, for any purpose.
We never share your information for marketing.
We never aggregate your health records into a central Brilliquid repository.
We never train AI on your clinical content.
We never use your data for advertising targeting.
We never block or impede your access to your records (see §10).
We never voluntarily share information with any government agency outside properly-served legal process (see §14).

10. Our information-access commitments

BRILL.health is built to make your information more accessible to you, not less:

We comply with 21st Century Cures Act rules prohibiting information blocking.
We maintain multiple ways for you to get your data — on-device, machine-readable export, secure messaging, and time-limited access links. No single partner controls any class of your data.
Your statutory rights (HIPAA, Cures, your state's privacy laws, international privacy laws) are not waivable by your acceptance of these terms. We don't ask you to waive them, and we won't retaliate if you exercise them.
We won't enter agreements with third parties that restrict your data access or portability.
We support complaints you file against third parties who block your access. We won't retaliate against you for filing, and we won't notify the third party unless you authorize us to.

11. Administrative access logs

We log administrative access to our systems as required by security and HIPAA audit rules. We apply minimization:

We collect only the logs we're required to collect.
We keep them for 90 days in full detail.
We don't use access logs to build behavioral profiles.
We don't use access logs for marketing, recommendations, or advertising.

12. Identity verification

BRILL.health uses identity verification for two distinct purposes:

Platform onboarding and account security — performed by our trusted third-party identity-verification partner (Plaid, Inc.) using industry-standard methods: document authentication, live selfie with biometric match, and fraud-signal checks. This partner handles only identity attributes (name, date of birth, address, ID document images, biometric selfie) for verification purposes — no Protected Health Information, clinical data, or health records are shared with them. They operate as a general identity-verification service, not as a healthcare business associate.
Direct Secure Messaging activation (optional) — additional identity proofing, performed by a federally-compliant verification provider, is required by federal rules if you choose to activate Direct Secure Messaging. Your Direct address is issued as a cryptographic credential under standards-based messaging partners.

13. Artificial intelligence

No AI-assisted features are in production on BRILL.health today. We're evaluating narrow, specific uses of AI where they'd genuinely help you — for example, pulling fields off an insurance-card photo instead of making you type them. We will not introduce any AI-assisted feature that handles your health information without a Business Associate Agreement with the AI provider. When we do add AI features, we'll describe them here first — what it does, what data it sees, what contractual protections apply, and how to opt out.

14. Law enforcement and government access

Our architecture holds as little information about you as possible. Where we must hold information, we encrypt it so (in our target state) only you can decrypt.

Compelled disclosure. If we receive a valid legal request (subpoena, warrant, court order), we comply. Legal process should be sent to legal@brilliquid.com. Where law permits, we notify you first so you have a chance to object or seek a protective order.
We can only produce what we actually hold. If it's encrypted and we don't have the key, we produce ciphertext and disclose that we can't decrypt it.
Transparency reports. We publish a semi-annual report on legal process received (aggregate counts, categories, how many we produced, narrowed, rejected, or received gag orders on — to the extent law permits).
No voluntary sharing. We don't voluntarily share your information with any government agency. We do not participate in voluntary data-sharing programs with immigration enforcement, tax enforcement, or any other agency.
No backdoors. We don't build backdoors for any government or third party. If law ever required us to, we'd disclose the requirement here before it took effect.

15. Your choices

You may at any time:

Revoke any consent you previously gave.
Delete your account (audit logs required by law are retained in minimized form).
Export the data we hold for you in a machine-readable format (multiple formats supported).
Correct inaccurate information.
Ask us how your data has been handled.
Exercise rights under state, national, or international privacy laws (see Appendices B, C, D).

16. If there's a breach

If an incident affects the confidentiality, integrity, or availability of your information, we'll notify you without unreasonable delay, and within the legal timeframes that apply (HIPAA's 60-day outside limit; state-specific timelines for California, Washington, and Nevada residents). We'll tell you what happened, what was affected, what we're doing, and what you can do.

17. Changes to this policy

If we make material changes, we'll notify you in advance — by in-app notice, email, or both — before the change takes effect. The "Effective Date" above shows the current version date. Prior versions are available on request.

18. Our legal role

BRILL.health operates principally as a Business Associate under HIPAA — meaning we handle health information on behalf of healthcare providers, labs, and health plans, and we're subject to those entities' Business Associate Agreements.

For Direct Secure Messaging, we also act as a Registering Agent for the industry-standard healthcare-messaging network. If our role expands in the future, we'll update this section in advance.

Contact

BrilLiquid LLC (a New Jersey limited liability company) Florham Park, NJ 07932 General inquiries (email): am@brilliquid.com Direct Secure Messaging (for healthcare correspondence): am@brill.health Business continuity: +1-201-637-1765 Data Protection Officer / Privacy Questions: privacy@brilliquid.com

Note on email: brilliquid.com is our corporate email. brill.health is a Direct Secure Messaging address — a standards-based secure channel reserved for healthcare correspondence, not a regular email inbox. A healthcare corporate email on brilliquid.health will activate later; we'll update this policy when it does.

Appendix A — Service Providers

We rely on a small number of trusted partners. Each has a contract with confidentiality and security obligations. Where Protected Health Information is involved, we have Business Associate Agreements in place.

Provider	Role
Amazon Web Services	Cloud infrastructure
MaxMD, Inc.	Secure healthcare messaging infrastructure
Plaid, Inc.	Identity verification at platform onboarding — handles only identity attributes (name, date of birth, address, government-ID images, biometric selfie) for verification purposes. Does not receive Protected Health Information, clinical data, or health records. Plaid operates as a general identity-verification service, not as a healthcare business associate.
Accredited Credential Service Provider (specific vendor named when integration is live)	Federal-grade identity proofing required for Direct Secure Messaging
BoldSign (by Syncfusion)	Electronic signatures
Twilio, Inc.	Text-message delivery for invitations and reminders (never PHI)

Program-specific sub-processors (testing laboratories, telemedicine providers, insurance partners, payment processors) are introduced as distinct programs become available, each with its own consent flow. Those sub-processors will be named here when the programs enter general availability.

We may add or change sub-processors over time. Material additions appear in the next version of this policy; immediate updates are available on request.

Appendix B — California Residents

If you live in California, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you these rights, in addition to those in §15:

Right to know what we've collected and how we use it.
Right to delete your personal information (subject to legal exceptions).
Right to correct inaccurate information.
Right to limit use of sensitive personal information to what's needed for service you requested.
Right to opt out of sale or sharing for cross-context behavioral advertising — we don't sell or share for advertising, so there's nothing to opt out of, but we confirm this right.
Right to non-discrimination for exercising any of these rights.

How to exercise: email am@brilliquid.com or mail us. We respond within 45 days (extendable 45 more with notice).

California's Confidentiality of Medical Information Act (CMIA) also applies to your medical information and coexists with CCPA/CPRA rights.

Appendix C — Washington and Nevada Residents

Washington's My Health My Data Act and Nevada's Health Privacy Act give you additional rights over "consumer health data":

Granular consent — we obtain your affirmative consent before collecting or sharing consumer health data, separately for each purpose.
Right to withdraw consent at any time.
Right to access, delete, and obtain a list of third parties we've shared your consumer health data with.
No geofencing around health facilities — we don't and won't do this.
Private right of action (Washington) for violations of the My Health My Data Act.

How to exercise: email am@brilliquid.com. We respond within 45 days.

Appendix D — Patients with International Ties

If your care crosses international borders — you live abroad, you're a dual citizen, you're traveling for care, you're an international student or worker — we're built to accommodate you:

Your data travels with you. Clinical records on your device are yours to take anywhere you have a lawful right to travel.
Your home country's privacy laws apply to you. Residents of the EU, UK, Canada, Australia, India, and other jurisdictions with data-protection laws have those laws' rights (access, deletion, correction, portability, objection). Our policy meets or exceeds most of these.
Sub-processors are U.S.-based. By using BRILL.health from a non-U.S. jurisdiction, you understand your data may be processed in the U.S. Where your jurisdiction requires specific legal bases for cross-border transfer, we rely on your consent and (where applicable) Standard Contractual Clauses.
If you provide your citizenship, we use it only for jurisdictional routing.

How to exercise: email am@brilliquid.com. Identify your country of residence and we'll apply the relevant framework.

This is the plain-English published version of our Privacy Policy. A more detailed counsel-reviewed version with additional regulatory citations, technical implementation detail, and policy rationale is available on request.