Platform User

An individual who accesses the Platform under an organization account ("Workspace"), including admins, clinicians, utilization management staff, and developers.

Patient Data / PHI

Patient-related information processed via the Platform that may be Protected Health Information ("PHI") under HIPAA or similar laws.

Website Interactions

If you join our waitlist, contact us, or request information, we may collect your name, email, phone, job title, organization, healthcare credentials, and your message.

Platform Accounts & Profiles

For Platform Users, we collect account and profile details (e.g., name, work email, role, licensure/credentials, organization, NPI or organization IDs), provisioning metadata, and user preferences.

Usage, Logs, and Telemetry

We collect IP address, device and browser characteristics, session identifiers, API calls, workflow actions related to prior authorization (e.g., submissions and determinations), timestamps, and feature usage to support security, auditing, troubleshooting, and product improvement.

Patient Data / PHI (when applicable)

If your organization uses the Platform for prior authorization workflows, we may process PHI received from or on behalf of Covered Entities, Business Associates, or payers pursuant to applicable law and any Business Associate Agreement ("BAA").

Cookies and Similar Technologies

We use cookies and similar technologies to operate the Website and Platform, maintain sessions, remember preferences, and analyze usage. You may control cookies in your browser; some features may be limited if disabled.

Legal Basis

We process information based on: (a) Consent (e.g., marketing opt-ins); (b) Legitimate Interests (e.g., to secure and improve the Platform and communicate service updates); (c) Contract Performance (e.g., to provide the Platform and support to your organization); and (d) Legal Compliance (e.g., maintaining audit logs, responding to lawful requests).

Uses

We use information to authenticate users, operate and secure the Platform, deliver prior authorization automation and interoperability, provide support, maintain auditability, conduct analytics to improve the Platform, and meet legal and contractual obligations (including BAAs). We send transactional/service messages (e.g., security alerts, downtime notices). With consent where required, we may send marketing messages; you may opt out at any time.

Purpose of AI Processing

We use automated and AI-assisted processing to enhance prior authorization workflows—for example, to extract and structure documentation, check completeness against payer requirements, identify likely attachments, and organize information for review. We do not use PHI to train foundation or general-purpose models. We may use de-identified and/or aggregated data to develop, test, and improve AI features.

Categories of Data Processed

AI features may process personal information and, where configured by your organization, PHI contained in documentation, orders, coverage details, and related metadata submitted to the Platform consistent with this Policy and applicable law/BAAs.

Retention

We may retain prompts, inputs, and outputs associated with AI features in logs for security, audit, quality assurance, and product improvement, consistent with this Policy and applicable law/BAAs.

Third-Party AI Subprocessors

Where third-party AI/ML infrastructure is used, those vendors act as our subprocessors under agreements that require confidentiality, security, and limited-purpose processing. A list of material subprocessors is available upon request and may be updated.

Transparency and Human Review

AI outputs are intended to assist users and are subject to human review within your organization. We provide indicators or context to help you understand when AI has been used to generate or summarize content.

Role Under HIPAA

When we receive or create PHI to provide services to a Covered Entity or Business Associate, we act as a Business Associate under a BAA and handle PHI in accordance with HIPAA and the BAA.

Safeguards & Access Controls

We implement administrative, physical, and technical safeguards (e.g., role-based access, least privilege, audit logging, encryption in transit and at rest, and workforce training) designed to protect the confidentiality, integrity, and availability of electronic PHI.

Permitted Uses & Disclosures of PHI

We use and disclose PHI only as permitted by law and the BAA—for example, to provide the Platform, support prior authorization workflows, ensure security, and meet legal requirements.

Within Your Workspace

Users in the same Workspace (subject to roles and permissions) may access information necessary for operations, such as prior authorization requests, status updates, and audit trails. Workspace administrators manage user roles and data access.

Service Providers and Subprocessors

We share information with trusted vendors (e.g., hosting, security, analytics, communications) under contracts that require confidentiality and limit use to the services provided.

Interoperability Connections

Where configured or instructed by your organization, we exchange data with EHRs, payer systems, or other prior authorization endpoints (e.g., FHIR APIs, CDS Hooks, X12/278) to perform requested workflows.

Legal

We may disclose information to comply with laws, regulations, legal processes, or governmental requests, or to protect rights, safety, and security.

Aggregated/De-Identified Data

We may share aggregated, anonymized, or de-identified data for research, analytics, benchmarking, or product improvement that cannot reasonably be used to identify an individual.

Business Changes

If we undergo a merger, acquisition, financing, or sale of assets, information may be transferred with appropriate notice.

Access and Portability

You may request access to personal information we hold about you and, where required by law, receive a copy in a portable format.

Correction

You may request that we correct or update inaccurate or incomplete information.

Deletion

You may request deletion of personal information, subject to legal, contractual, or legitimate business requirements (e.g., audit logs, regulatory retention, BAAs).

Opt-Out of Marketing

You may opt out of marketing communications at any time. Transactional or service-related messages may still be sent.

Requests Involving PHI

Requests to access, amend, or receive an accounting of disclosures of PHI should generally be submitted through your healthcare provider or Workspace administrator, consistent with HIPAA and the applicable BAA.

AI Controls

Where available, Workspace administrators may configure AI features and related data processing settings (e.g., enabling certain AI assistants, restricting data categories, or limiting retention of prompts/outputs). Disabling certain features may impact functionality.