Effective dateMarch 19, 2026
Last updatedMarch 19, 2026
Applies togetpario.com and all Pario services

1. Overview

This Privacy Policy describes how Pario ("Pario," "we," "us," or "our") collects, uses, discloses, and protects information about you when you visit our website at getpario.com, use our employer benefits platform, or participate in the Pario imaging steerage program as an enrolled employee.

Pario operates a benefit program that helps self-insured employers reduce imaging costs by routing employees to ACR-accredited independent outpatient facilities before they schedule high-cost hospital-based imaging. This involves receiving notifications about imaging orders and contacting employees with savings opportunities. Because this touches health-adjacent information, we take our data obligations seriously.

Plain language summary: We collect the minimum information needed to run the program. We do not sell your data. We do not share your individual health information with your employer. We are a Business Associate under HIPAA for enrolled employees. You can opt out at any time.

2. Who We Are

Pario is a healthcare technology company incorporated in Florida. Our contact information is in Section 14 of this policy.

For employees enrolled in the Pario program through their employer's health plan, Pario acts as a Business Associate as defined under the Health Insurance Portability and Accountability Act (HIPAA). We operate under a signed Business Associate Agreement (BAA) with each employer partner.

For visitors to our website who are not enrolled in the program, Pario acts as a standard data controller under applicable privacy law.

3. What We Collect

From website visitors

  • Name, work email, company name, and job title when you submit a demo request or contact form
  • IP address, browser type, device type, and pages visited via standard server logs
  • Information you voluntarily provide in any free-text fields

From employer contacts (HR, benefits, finance)

  • Business contact information: name, title, work email, phone, company name
  • Employee roster data provided during onboarding (names, employee IDs, enrollment status)
  • HSA administrator credentials required to issue employee rewards (stored encrypted, never logged in plaintext)
  • Aggregate program performance data: cases identified, conversion rates, savings delivered

From enrolled employees

  • Name, mobile phone number, and employer health plan ID at enrollment
  • Imaging order notifications received via FHIR-based EHR integration (authorized by you at enrollment)
  • Facility selection — which option you chose, or that you declined
  • HSA account information used to deliver rewards (stored encrypted)
  • Appointment confirmation status

What we do not collect

  • Diagnostic results, radiology reports, or imaging findings
  • Conditions, diagnoses, or medical history beyond the imaging order type
  • Social Security numbers
  • Payment card information

4. How We Use Your Information

Website visitors and employer contacts

  • To respond to demo requests and sales inquiries
  • To onboard new employer partners and configure their program
  • To send program updates, reporting, and service communications
  • To improve our website and marketing materials

Enrolled employees

  • To receive and evaluate imaging order notifications on your behalf
  • To identify whether a lower-cost, accredited facility exists in your area
  • To send you a single SMS notification with your savings opportunity and facility options
  • To book your appointment at your chosen facility through our care navigators
  • To deposit your HSA reward upon confirmed appointment
  • To generate aggregate — never individual — reporting for your employer
What your employer sees: Your employer receives aggregate program metrics — total cases, total savings, program cost, and net ROI. Your employer never receives information about your individual imaging order, the facility you chose, or your personal health data. This is a contractual condition of every employer agreement we sign.

5. Who We Share Your Information With

Service providers

We share data with third-party vendors who help us operate the program — cloud hosting, HSA payment processors, SMS delivery, and analytics platforms. All sub-processors are contractually bound to handle data only as directed by Pario and to maintain appropriate security standards.

Imaging facilities

When you confirm an appointment, Pario shares your name, imaging order type, insurance information, and preferred appointment time with that facility — the same information any scheduling call would transmit. We do not share your HSA details or reward amount with facilities.

Your employer's HSA administrator

To deliver your reward, we transmit a deposit instruction containing only your account identifier and the reward amount. No health information is included.

Legal requirements

We may disclose information if required by law, court order, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of Pario, our users, or the public.

Business transfers

If Pario is acquired or merged, personal data may be transferred as part of that transaction. We will notify affected users before data becomes subject to a different privacy policy.

We do not sell your data

Pario does not sell, rent, or trade your personal information to any third party for their own marketing or commercial purposes.

6. Health Information & HIPAA

For enrolled employees, Pario receives Protected Health Information (PHI) as defined under HIPAA — specifically, imaging order notifications from your healthcare provider's EHR system. You authorize this data flow at enrollment under the same individual authorization framework used by Apple Health and other FHIR-based health apps (21st Century Cures Act, 45 CFR § 170.315(g)(10)).

As a HIPAA Business Associate, Pario is required to:

  • Use PHI only for the purposes specified in our BAA with your employer and this policy
  • Implement administrative, physical, and technical safeguards to protect PHI
  • Report any breach of unsecured PHI to your employer within the timeframes required by law
  • Make PHI available to you upon request as required under the HIPAA Privacy Rule
  • Not use or disclose PHI in any manner not permitted by the Privacy Rule
Revoking access: You can revoke Pario's access to your imaging order notifications at any time by emailing privacy@getpario.com or through your EHR patient portal. Revoking access unenrolls you from the program. It does not affect any rewards already received.

7. Data Security

  • All data encrypted in transit using TLS 1.2 or higher
  • PHI and financial credentials encrypted at rest using AES-256
  • Access to production systems restricted by role and requires multi-factor authentication
  • Regular access reviews and full audit logging of all PHI access
  • Employee PHI stored in isolated data stores separate from general application data

If we discover a security incident affecting your data, we will notify affected individuals and relevant authorities as required by applicable law. For our full security program details, see our Security page.

8. Data Retention

  • Enrolled employee PHI — retained for program duration plus 6 years, as required under HIPAA for Business Associates
  • HSA account credentials — deleted within 30 days of program termination or unenrollment
  • Imaging order notifications — deleted within 90 days of case resolution
  • Employer contact and roster data — retained for employer relationship duration plus 3 years
  • Website visitor data — analytics retained 24 months; form submissions retained 36 months
  • Aggregate program metrics — retained indefinitely in anonymized form

9. Your Rights

Access

You may request a copy of the personal information we hold about you, including any PHI we have processed on your behalf.

Correction

You may request correction of inaccurate personal information. PHI correction requests are processed under the HIPAA Privacy Rule's right to amend.

Deletion

You may request deletion of your personal information. PHI deletion requests are subject to our HIPAA retention obligations — we will inform you of any limitations at the time of your request.

Portability

You may request a machine-readable export of personal information you have provided to us.

Opt-out

Enrolled employees may opt out of the program at any time by contacting privacy@getpario.com. Opt-out terminates future imaging order monitoring and does not affect rewards already earned.

To exercise any of these rights, email privacy@getpario.com. We will respond within 30 days. We will not discriminate against you for exercising your privacy rights.

10. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by CPRA) provides you with additional rights.

Categories of personal information collected in the past 12 months

Identifiers (name, email, phone), professional or employment-related information (employer, job title), health information (imaging order notifications for enrolled employees), and internet or network activity (website usage data).

No sale or sharing for cross-context advertising

Pario does not sell personal information and does not share personal information for cross-context behavioral advertising. You do not need to opt out because we do not engage in these activities.

Your CCPA rights

  • Right to know what personal information we collect, use, and disclose
  • Right to delete your personal information (subject to legal exceptions)
  • Right to correct inaccurate personal information
  • Right to limit use of sensitive personal information
  • Right to non-discrimination for exercising your rights

To submit a California privacy rights request, email privacy@getpario.com with "California Privacy Request" in the subject line.

11. Cookies & Tracking

Essential cookies

Session cookies required for the website to function. Deleted when you close your browser.

Analytics

We use privacy-focused analytics to understand aggregate traffic patterns. We do not use Google Analytics or any platform that builds individual user profiles for advertising purposes.

No advertising pixels

We do not place advertising pixels, retargeting tags, or third-party ad tracking cookies on our website.

You can disable non-essential cookies through your browser settings without affecting your ability to use the Pario website.

12. Children's Privacy

Pario's services are designed for employers and their adult employees. We do not knowingly collect personal information from anyone under 18. If we learn we have inadvertently collected information from a minor, we will delete it promptly. Contact privacy@getpario.com if you believe this has occurred.

13. Policy Changes

When we make material changes, we will update the "Last updated" date above and, for enrolled employees, send email notification at least 14 days before changes take effect. Your continued use of Pario services after changes become effective constitutes acceptance of the updated policy.

14. Contact Us

For privacy questions, rights requests, or data concerns:

  • Email: privacy@getpario.com
  • HIPAA requests: use subject line "HIPAA Request"
  • Rights requests: use subject line "Privacy Rights Request"
  • Mailing address: Pario · Privacy Officer · Jacksonville, FL
  • Response time: acknowledgment within 5 business days, full response within 30 days
For enrolled employees: To revoke access, request your PHI, or ask questions about your imaging order data, email privacy@getpario.com with "HIPAA Request" in the subject line.