ofekאופק

Ofek policy

Privacy and Security Notice

This notice explains how Ofek handles health information when a user asks Ofek to retrieve, organize, and use their records.

Effective date: June 8, 2026

Ofek is a pre-launch personal health record service operated by Ofek Health, Inc., a Delaware corporation incorporated through Stripe Atlas.

What Ofek Does

Ofek helps a user request, receive, organize, and use their own health information. Ofek can store records the user chooses to retrieve or upload, organize them into a longitudinal record, cite generated facts back to source material, and prepare visit materials for the user.

Ofek is a patient-controlled personal health record. Ofek is not a hospital, health plan, or treating provider. Ofek does not provide medical advice, diagnosis, or treatment.

Individual Access Services

When available, Ofek may help a user request health information from health care organizations connected to national health information networks. Ofek acts only after the user or authorized personal representative gives express consent.

Request-only Individual Access Services statement: Ofek does not provide bidirectional exchange services. Users may request access to their health information through supported exchange pathways. Users may not use Ofek to send their health information to network participants unless Ofek separately enables and discloses that capability.

Information Ofek May Collect

  • Account information, such as name, email, phone number, and authentication details.
  • Identity proofing information from an approved credential service provider.
  • Verified demographics used to match records, such as name, date of birth, address, email, and phone number.
  • Self-asserted demographics the user provides to help record matching.
  • Health information returned in response to the user's request.
  • Uploaded records, device exports, documents, and notes the user chooses to add.
  • Technical logs, audit logs, consent records, and security records.

Ofek does not collect background device data such as contacts, photos, device location, or device identifiers beyond technical and security metadata needed to operate the service. If a user chooses to upload a device export, Ofek treats it as user-provided record content.

How Ofek Uses Information

  • Verify identity and account access.
  • Request records when the user asks Ofek to do so.
  • Match records to the correct user.
  • Store records in the user's Ofek account.
  • Parse, normalize, and cite records.
  • Create summaries, timelines, insights, and visit prep materials.
  • Let the user export, print, or share records they choose to share.
  • Provide support and investigate issues.
  • Protect the security and integrity of the service.
  • Comply with applicable law.

Ofek does not sell individually identifiable information. Ofek does not use individually identifiable information for targeted advertising. Ofek does not use health information to assert a claim against a user, except to collect fees the user agreed to pay.

Sharing

Ofek may disclose information:

  • To the user.
  • To people or clinicians the user chooses to share with.
  • To service providers that help Ofek operate the service under privacy and security obligations.
  • To an exchange partner, credential service provider, or responding node as needed to complete the user's request.
  • To comply with law, court order, subpoena, warrant, or other legal process.
  • To investigate or respond to a security incident, privacy complaint, wrong-patient data issue, or network trust issue.

Ofek requires service providers that process individually identifiable information for Ofek to use that information only to provide services to Ofek and to protect it with privacy and security obligations.

De-identified Data

Ofek does not sell or license de-identified or anonymized data to data brokers, advertising firms, marketing firms, or analytics firms. If Ofek creates de-identified or anonymized data for service improvement, security, or research, Ofek prohibits attempts to re-identify people from that data.

Storage

Ofek stores user information in Ofek-controlled application systems and with cloud service providers that support hosting, database, file storage, authentication, communications, identity proofing, record retrieval, security, and AI-assisted processing.

Legal Demands

Unless prohibited by law, Ofek will provide written or electronic notice within three business days after receiving a civil or criminal subpoena, court order, search warrant, or other compulsory demand for disclosure of a user's individually identifiable information.

Unless prohibited by law, Ofek will provide written or electronic notice within three business days after making individually identifiable information available to law enforcement.

Security

Ofek uses commercially reasonable safeguards to protect individually identifiable information from unauthorized or illegal access, use, modification, or destruction.

Ofek encrypts individually identifiable information in transit and at rest. Ofek limits access based on role and account. Ofek records audit events for health-information reads and writes. Ofek preserves audit logs for compliance and security purposes.

Incident Response

Ofek maintains an incident response process for suspected security incidents, privacy incidents, wrong-patient data, unauthorized access, and exchange network trust issues. Ofek investigates reports, limits further exposure, preserves relevant audit evidence, and provides notices required by law, contract, or network policy.

Consent

Before Ofek requests health information through Individual Access Services, the user must provide express documented and informed consent. Consent remains in effect until revoked. Revocation stops future requests. Revocation does not undo actions already taken while consent was active.

User Choices and Rights

  • Access information Ofek maintains in connection with the service.
  • Request an export in a machine-readable format when available.
  • Request correction of account or demographic information the user provided.
  • Ask Ofek to annotate, reprocess, or investigate source information that appears incorrect or belongs to another person.
  • Ask Ofek to delete individually identifiable information it maintains, unless deletion is prohibited by law or the information is retained in audit logs.
  • Ask Ofek to deactivate the user's account.
  • Revoke consent for future Individual Access Services.
  • Ask privacy questions or file a privacy complaint.
  • Report information in a record that appears to belong to another person.

Retention

Ofek retains records while an account is active and while needed to provide the service, comply with law, resolve disputes, protect security, and maintain required audit logs.

When a user withdraws or requests deletion, Ofek deletes or redacts future-use copies where technically feasible and legally permitted. Audit logs may be retained.

Fees

Ofek does not currently charge a separate fee for Individual Access Services. If that changes, Ofek will disclose the fee before the user consents to the paid service.

Changes to This Notice

Ofek may update this notice. Material changes will be disclosed through the service or by email when appropriate. The effective date shows when this notice was last updated.

Contact

Privacy questions, security issues, wrong-patient data reports, and support requests can be sent to avi@aviswerdlow.com.