Contact Us

Orva Product Privacy Policy

 

Effective Date: April 22, 2025
Last Updated: May 20, 2025

Definitions

For the purposes of this Privacy Policy, the following terms are defined as follows:

ADHICS: The Abu Dhabi Healthcare Information and Cyber Security Standard, issued by the Department of Health – Abu Dhabi. It outlines the regulatory framework for safeguarding personal health information and cybersecurity practices in healthcare environments across the Emirate.

UAE PDPL: The United Arab Emirates Federal Decree Law No. 45 of 2021 on the Protection of Personal Data, which governs the processing, transfer, and protection of personal data within the UAE.

HIPAA: The Health Insurance Portability and Accountability Act of 1996, a U.S. federal law that establishes national standards for protecting sensitive patient health information.

Protected Health Information (PHI): Any individually identifiable health information, including medical history, diagnosis, treatment, and personal identifiers such as name, date of birth, or patient ID, collected or processed in connection with healthcare delivery.

Personal Data: Any data relating to an identified or identifiable individual, including but not limited to names, device IDs, IP addresses, biometric data, or any data subject to UAE PDPL or other privacy laws.

De-Identified Data: Information that has been processed to remove or obscure personal identifiers, making it no longer reasonably capable of being associated with a specific individual, in accordance with HIPAA and ADHICS requirements.

Voice Data / Audio Input: Any audio captured by the Orva system through wake-word activation (“Hey Orva”), including voice commands, time-stamped utterances, and associated metadata.

System Metadata: Operational data collected by Orva to support performance monitoring and diagnostics, such as device ID, session logs, time of interaction, and assigned user role.

Data Controller: The entity (typically the healthcare provider or facility) that determines the purpose and means of processing personal or health data, in accordance with ADHICS or HIPAA guidelines.

Data Processor: A third-party organization (such as Orva) that processes data on behalf of the Data Controller, as defined by contractual agreements and applicable data protection laws.

Confidential Data: As classified in Orva’s internal data governance framework, this includes PHI, personal data, audio recordings, and system logs that are subject to strict access, encryption, and retention policies.

Retention Period: The timeframe during which data is maintained by Orva or its partners, as defined by legal, contractual, or clinical requirements, after which data is securely deleted or archived.

Anonymized Data: Data that has been permanently stripped of personal identifiers and cannot be re-linked to an individual, used for benchmarking, training, or analytical purposes without re-identification risk.

Business Associate Agreement (BAA): A legally binding document required under HIPAA that governs the responsibilities of a third party (such as Orva) in safeguarding PHI on behalf of a covered healthcare entity.

Session: A discrete period of Orva usage within an operating room or clinical setting, during which data collection, voice activation, and logging occur under user supervision.

User Roles: Designated permissions assigned within the Orva system to clinicians, administrators, or other authorized users based on least privilege and clinical responsibilities.

Policy

Orva is a clinical-grade voice assistant developed by RAIN Technology, Inc. (for the United States) and RAIN Technology ME LTD (for the United Arab Emirates), collectively referred to as “Orva,” “we,” “our,” or “us.” This Privacy Policy outlines how we collect, use, store, and protect data within our software platform (“Orva”) when used in surgical environments.

Your use of the Orva product, whether as a healthcare provider, facility administrator, or end user, constitutes your acceptance of the applicable version of this Privacy Policy, based on your region. If you do not agree, you should not access or use the Orva platform.

Applies to healthcare providers and patients located in the United Arab Emirates

1. Introduction

We are committed to protecting the confidentiality, integrity, and availability of healthcare data in accordance with ADHICS v2, UAE PDPL, and applicable Ministry of Health (MOHAP) regulations.

2. Data We Collect

The Orva system may collect the following categories of data:

     

      • Surgical Event Data: Time-stamped milestones and voice notes describing clinical or operational events

      • Personal Health Information (PHI): Name, DOB, patient ID, procedure type (as input by facility)

      • Session Metadata: Device ID, room ID, usage timestamps, and user role identifiers

      • Voice Samples: Audio clips triggered after activation via wake word (“Hey Orva”), used only for system functionality and training

    3. Legal Basis & Consent

    The use of Orva’s voice-enabled features within clinical settings is governed by applicable data protection and health information privacy laws, including the Abu Dhabi Healthcare Information and Cyber Security (ADHICS) standards, which establish requirements for the collection, processing, and safeguarding of health data.

    Patient consent for the use of Orva’s voice technology—including the capture and processing of voice data and any associated protected health information (PHI)—is obtained as part of the healthcare facility’s general surgical consent process. This consent is considered valid under ADHICS, which allows for the integration of digital health technologies into patient care workflows when informed consent has been obtained and documented by the healthcare provider.

    Orva’s legal bases for processing personal data under ADHICS and other applicable laws include:

       

        • Legitimate interest: Orva processes voice and clinical data as necessary to operate a clinical decision-support tool, enhance workflow efficiency, and support real-time surgical documentation.

        • Consent (where applicable): In cases where de-identified audio or metadata may be used to improve the system’s performance (e.g., model training or validation), additional consent may be required and will be obtained accordingly.

        • Contractual necessity: Orva processes data as necessary to fulfill its contractual obligations with healthcare institutions, which act as data controllers under ADHICS. These institutions are responsible for ensuring lawful patient data processing in accordance with their internal policies and national regulations.

      Healthcare institutions deploying Orva are expected to ensure that all patients are informed of the use of such technologies, the purpose for which voice data may be recorded, and the rights afforded to them under ADHICS, including the right to access, rectify, or request deletion of their personal data where applicable.

      For more information about the ADHICS guidelines and compliance requirements, please refer to the Department of Health – Abu Dhabi’s official website: https://www.doh.gov.ae

      4. How We Use the Data

      Collected data is used for the following purposes:

         

          • Intraoperative workflow support (e.g., triggering prompts, recording milestones)

          • Post-operative analysis (e.g., benchmarking, compliance, OR efficiency)

          • Product improvement (e.g., improving AI response and NLP accuracy) We do not use PHI/PII for any purpose unrelated to healthcare delivery or product performance.

        5. Data Residency

        Data Classification and Handling
        All voice recordings and associated PHI are classified as Confidential under Orva’s internal data classification framework. As such, they are subject to strict access controls, encryption requirements, and handling procedures, including:

           

            • Encryption of all data in transit and at rest in accordance with industry standards

            • Access limited to personnel with a documented need and appropriate authorization

            • Secure storage in systems that prevent unauthenticated access

            • Prohibition of storage on unauthorized or personal devices

            • Regular review of access privileges and secure data disposal at the end of retention periods

          Retention & Disposal
          PHI and voice recordings are retained in accordance with the healthcare provider’s documented retention schedule, in line with legal, regulatory, and contractual requirements. De-identified data and system logs may be retained for up to five (5) years for the purposes of product improvement, system auditing, and incident forensics, unless otherwise restricted by the data controller. Personally identifiable data is securely disposed of when it no longer serves a legitimate business or clinical purpose, or upon verified request from a data subject in compliance with applicable laws.

          6. Data Sharing & Access

             

              • Data is only shared internally within the healthcare facility or authorized administrators.

              • We do not share PHI/PII with any external third party, including affiliates, vendors, or research partners, unless:
                • Data is fully anonymized or aggregated

                   

                    • Required by UAE legal or regulatory authorities with proper authorization

                • All access is role-based and logged.

              7. Data Security

              Orva implements administrative, technical, and physical safeguards:

                 

                  • AES-256 encryption at rest

                  • TLS 1.2 or 1.3 encryption in transit

                  • Continuous auditing and role-based access controls

                     

                  • ADHICS-aligned security incident response protocols

                     

                8. User Rights (UAE PDPL)

                In accordance with the UAE Personal Data Protection Law (PDPL), Federal Decree Law No. 45 of 2021, individuals whose personal data is processed through the Orva platform are granted specific rights regarding the access, correction, use, and deletion of their personal data. These rights may be exercised directly by the data subject or through their authorized healthcare provider, who serves as the data controller under UAE law.

                Subject to lawful exceptions and institutional policy, you or your healthcare provider may:

                   

                    • Request access to your personal data, including voice recordings, system metadata, or account activity processed through the Orva platform.

                    • Request rectification or correction of inaccurate or incomplete personal data to ensure its accuracy and relevance to the purpose for which it was collected.

                    • Request erasure of personal data that is no longer required or that was processed unlawfully, unless retention is required under healthcare, contractual, or regulatory obligations.

                    • Object to further processing of your personal data under legitimate interest or public interest bases, unless compelling lawful grounds exist.

                    • Withdraw consent for the processing of voice recordings or other personal data used for non-essential or secondary purposes (e.g., AI model training), provided such data has not already been irreversibly de-identified.

                  How to Submit a Request

                  Requests to exercise any of the above rights may be submitted:

                     

                      • Through your healthcare provider, which is responsible for overseeing compliance with data subject rights under UAE PDPL and ADHICS, or

                      • Directly to RAIN Technology ME LTD by emailing hello@orvahealth.com

                         

                    RAIN will acknowledge receipt of your request within five (5) business days and will respond or fulfill the request within thirty (30) calendar days, in accordance with Article 14 of the PDPL. Extensions may apply for complex or high-volume requests, with notice provided.

                    RAIN reserves the right to verify the identity of the requester and may refer certain requests to the healthcare provider for further processing, where required by contractual or regulatory obligations.

                    9. Tracking & System Analytics

                    To maintain a secure, stable, and high-performing platform, Orva collects and processes anonymized technical data and system usage metrics. These analytics are critical for operational reliability, product improvement, and service optimization.

                    Purpose of Data Collection

                    RAIN Technology ME LTD collects the following categories of non-identifiable and anonymized system data:

                       

                        • Usage logs detailing user interactions with the platform, excluding any direct PHI or personally identifiable information

                        • Performance metrics related to application responsiveness, system uptime, and infrastructure efficiency

                        • Error reports and diagnostic events generated by the software during device use, application crashes, or abnormal behavior

                        • Feature utilization trends and workflow telemetry, used to enhance interface design, improve automation performance, and identify common usage patterns

                      These analytics are processed exclusively for the following purposes:

                         

                          • Product support and debugging to ensure smooth clinical usage and respond to platform issues

                          • Quality assurance and reliability testing, including proactive monitoring of performance baselines

                          • Usage benchmarking, helping RAIN and institutional customers measure the effectiveness of voice workflows and identify optimization opportunities

                        Data Protection & Compliance

                           

                            • All analytics data is anonymized or pseudonymized at the point of collection to ensure no direct patient identifiers (e.g., name, MRN, voiceprints) are retained.

                            • These logs do not contain PHI and are never combined with identifiable clinical data.

                            • Data is stored in UAE-based secure environments, retained in accordance with institutional policies and ADHICS v2 recordkeeping expectations.

                            • Access to anonymized analytics is limited to authorized personnel for operational and compliance functions only.

                          RAIN Technology ME LTD does not use tracking data for advertising, commercial profiling, or user behavior analysis unrelated to clinical functionality.

                          10. Policy Updates

                          We may amend this policy in response to legal, operational, or regulatory changes. Facilities will be notified of material changes in advance, and a revised effective date will be posted.

                          11. Contact

                          RAIN Technology ME LTD
                          Level 14, Al Sarab Tower
                          ADGM Square, Al Maryah Island
                          Abu Dhabi, UAE
                          Email: hello@orvahealth.com