Effective Date: February 10, 2026
Last Updated: February 10, 2026
Elrond Health Inc., a Delaware corporation doing business as Rivendell in New York and Rivendell Insurance & Administration Services in California (“Rivendell,” “we,” “our,” or “us”), is committed to protecting the privacy and security of your information. This Privacy Policy and Notice of Privacy Practices describes how we collect, use, disclose, and safeguard information when you use our services, including our website at rivendell.health, our platform for managing health insurance disclosure forms for group level-funded health plans, and communications with our team.
This notice is provided pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), the California Insurance Information and Privacy Protection Act (“IIPPA”), and other applicable federal and state privacy laws.
By using our services, you acknowledge and agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of our services.
We collect the following categories of information:
Name, mailing address, date of birth, phone number, email address, Social Security number, employer identification, and other identifiers necessary to facilitate health insurance enrollment and administration.
Information about health coverage, eligibility, enrollment status, plan selection, and health disclosure forms submitted through our platform for group level-funded health plans. PHI is handled in accordance with HIPAA, HITECH, and applicable state law.
IP address, browser type, device identifiers, operating system, pages visited, referring URLs, and interaction data collected through cookies and similar technologies when you use our website.
Records of messages exchanged with our customer support team, including via Apple iMessage, email, and phone, as well as scheduling and enrollment-related correspondence.
We use the information we collect for the following purposes:
We will not sell your information or share it for marketing purposes unrelated to the services you have requested.
We may disclose your information in the following circumstances:
We may use and disclose PHI as necessary for treatment, payment, and health care operations as defined under HIPAA (45 CFR §164.501), including coordinating with insurance carriers, plan administrators, and brokers involved in your health coverage.
We share information with vendors and service providers who assist in delivering our services, including cloud hosting, data analytics, and communications platforms. All vendors handling PHI operate under Business Associate Agreements (BAAs) as required by HIPAA.
We share enrollment and eligibility information with insurance carriers and plan administrators as necessary to process and maintain health coverage.
We may disclose information as required by law, regulation, legal process, or governmental request, including to comply with HIPAA, CMS regulations, state insurance department requirements, and court orders.
We may disclose PHI for public health activities, to report suspected abuse or neglect, to prevent a serious threat to health or safety, and for other purposes permitted by 45 CFR §164.512.
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.
We do not sell personal information as defined under the California Consumer Privacy Act (CCPA) or any other applicable state privacy law.
As a covered entity under HIPAA, we are required to inform you of your rights regarding your PHI. You have the right to:
You may request a copy of the PHI we maintain about you in our designated record sets. We will provide a copy within 30 days of your request. We may charge a reasonable cost-based fee for copying.
You may request that we amend PHI that you believe is incorrect or incomplete. We may deny the request if we did not create the information, if the information is not part of our records, or if the information is already accurate.
You may request a list of disclosures of your PHI that we have made for purposes other than treatment, payment, health care operations, or certain other exceptions, for the six years preceding your request.
You may request restrictions on certain uses and disclosures of your PHI. We are not required to agree to all restrictions, but we will comply with any restriction to which we agree. We are required to agree to restrict disclosures to a health plan if the disclosure is for payment or health care operations purposes and the PHI pertains solely to an item or service for which you have paid in full out of pocket.
You may request that we communicate with you about PHI in a particular way or at a particular location. We will accommodate reasonable requests.
You may request a paper copy of this notice at any time, even if you previously agreed to receive it electronically.
If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the U.S. Department of Health and Human Services. We will not retaliate against you for filing a complaint.
To exercise any of these rights, contact:
Privacy Officer, Elrond Health Inc.
895 Broadway, Floor 5, New York, NY 10003
Email: [email protected]
Phone: (646) 600-8840
We are required by law to maintain the privacy and security of your PHI, provide you with this notice of our legal duties and privacy practices, notify you following a breach of your unsecured PHI, and abide by the terms of this notice currently in effect. We reserve the right to change the terms of this notice and to make the new provisions effective for all PHI we maintain. Revised notices will be posted on our website at rivendell.health/privacy and made available upon request.
We retain personal and health information for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by applicable law. For health insurance broker and enrollment records, we retain information for a minimum of 10 years from the date of creation or the date the record was last in effect, whichever is later, consistent with CMS record retention requirements. Device and usage data is retained for up to 24 months unless a longer period is required for legal or compliance purposes.
We implement administrative, technical, and physical safeguards designed to protect your information in accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C). These safeguards include:
While we take reasonable measures to protect your information, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security.
In the event of a breach of unsecured PHI, we will notify affected individuals without unreasonable delay and no later than 60 days following discovery of the breach, in accordance with 45 CFR §§164.400–414. We will also notify the U.S. Department of Health and Human Services and, where required, the media, as specified by HIPAA.
Our website uses cookies and similar technologies to enhance functionality and analyze usage patterns.
Required for website operation, such as session management and security features.
Used to understand how visitors interact with our website, including page views, traffic sources, and navigation patterns.
You may control cookies through your browser settings. Disabling certain cookies may limit website functionality.
Depending on your jurisdiction, you may have the following rights regarding your personal information that is not PHI:
California residents: Please see our California Privacy Supplement for additional rights under the CCPA/CPRA and the California Insurance Information and Privacy Protection Act.
Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will take steps to delete it promptly.
We may update this Privacy Policy and Notice of Privacy Practices from time to time. Changes will be posted at rivendell.health/privacy with an updated “Last Updated” date. Material changes will be communicated through our platform or by email. Your continued use of our services after changes are posted constitutes acceptance of the updated policy. We will not retroactively apply material changes to PHI collected before the effective date of the change without your written authorization.
For questions, concerns, or requests regarding this Privacy Policy, your PHI, or your privacy rights, contact:
Privacy Officer
Elrond Health Inc.
895 Broadway, Floor 5
New York, NY 10003
Email: [email protected]
Phone: (646) 600-8840
You may also file complaints with: