Privacy Policy

1. Introduction

Clarity Medical AI ("we", "us", "our") is committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, store, and safeguard data when you use our platform and services.

2. HIPAA Compliance

Our platform is designed and operated in compliance with the Health Insurance Portability and Accountability Act (HIPAA). We maintain administrative, physical, and technical safeguards to protect Protected Health Information (PHI) as required by the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

We enter into Business Associate Agreements (BAAs) with all covered entities that use our Service, and we require the same of our subcontractors.

3. Information We Collect

We collect the following categories of information:

• Account Information: Name, email address, professional role, and organization affiliation provided during account creation.
• Clinical Data: Patient records, clinical notes, documents, and other PHI entered by authorized users in the course of clinical care. This data is processed and stored on your organization's own infrastructure.
• Usage Data: Log-in timestamps, feature usage patterns, and system performance metrics. No PHI is included in usage analytics.
• Device Information: Browser type, operating system, and IP address for security monitoring and access control purposes.

4. How We Use Your Information

We use collected information to:

• Provide, operate, and maintain the clinical platform
• Authenticate users and enforce role-based access controls
• Generate AI-assisted clinical documentation and insights
• Monitor system health, security, and regulatory compliance
• Improve platform functionality and user experience
• Communicate service updates and security notifications

5. Data Processing & AI

Clinical data processed by our AI models is handled locally within your organization's deployment. Our local-first architecture means patient data never leaves your servers for AI inference.

When queries are routed to external LLM providers for general medical knowledge, all PHI is passed through an automated redaction gate before transmission. We do not use your clinical data to train general-purpose AI models.

6. Data Sharing

We do not sell, rent, or share your data with third parties for marketing or advertising purposes. Data may be disclosed only in the following circumstances:

• With your organization's authorized administrators as part of normal platform operations
• With service providers and subcontractors bound by Business Associate Agreements (BAAs)
• When required by law, regulation, or valid legal process (e.g., court order, subpoena)
• To protect the rights, safety, or property of Clarity Medical AI, our users, or the public

7. Data Security

We implement industry-standard and healthcare-specific security measures including:

• Encryption at rest: AES-256 encryption for all stored data, including database records and API keys
• Encryption in transit: TLS 1.3 for all network communications
• Access controls: Role-based access with multi-tenant isolation and row-level security
• Audit logging: Immutable, tamper-proof logging of all data access events
• PII redaction: Automated detection and removal of PHI before any external processing
• Security testing: Regular vulnerability assessments and penetration testing

8. Data Retention

Clinical data is retained in accordance with your organization's data retention policies and applicable healthcare record retention laws. Account and access log data is retained for the duration of the service agreement plus any legally required retention period.

Upon termination of service, your organization may request a full data export. Following export confirmation and the expiration of any required retention period, data will be securely deleted.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate or incomplete data
• Request deletion of your account data (subject to legal retention requirements)
• Receive a copy of your data in a portable, machine-readable format
• Object to or restrict certain processing of your data
• Withdraw consent where processing is based on consent

To exercise any of these rights, contact your organization's administrator or reach out to us directly using the contact information below.

10. Cookies & Tracking

The Service uses essential cookies for authentication and session management. We do not use third-party advertising or tracking cookies. Usage analytics are collected server-side without third-party tracking scripts.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. Patient records for minors are managed by authorized healthcare professionals in accordance with applicable laws.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable laws. We will notify users of material changes via the platform or email at least 30 days in advance. Continued use of the Service after updates take effect constitutes acceptance of the revised policy.

13. Contact

For privacy-related inquiries or to exercise your data rights, contact our Privacy Officer at [email protected].

For general inquiries, contact us at [email protected].