Privacy Policy

Cai Systems LLC ("Company," "we," "us," or "our") operates the Kestrel platform ("Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information and Protected Health Information ("PHI") when you access or use our Service, visit our website at kestrel.to, or otherwise interact with us.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree to this Privacy Policy, you must not access or use the Service. This Privacy Policy should be read together with our Terms of Service and, where applicable, our Business Associate Agreement.

This Privacy Policy applies to all users of the Service, including healthcare professionals, prior authorization coordinators, billing specialists, revenue cycle management staff, practice administrators, and any other individuals who access or use the Service on behalf of a healthcare organization ("Covered Entity"). It does not apply to information collected by third parties, including any third-party websites or services that may be linked from the Service.

1. Information We Collect

We collect information in several ways depending on how you interact with our Service. The categories of information we collect include information you provide directly, information collected automatically, information from third-party sources, and Protected Health Information.

1.1 Information You Provide Directly

When you create an account, subscribe to the Service, contact us, or otherwise interact with us, you may provide the following categories of personal information:

• Account Registration Information: Your name, email address, and password when you create an account. If you register using a third-party single sign-on provider (Google or Microsoft), we receive your name, email address, and profile image from that provider.
• Organization Information: Your practice or organization name, National Provider Identifier (NPI), specialty, address, phone number, and other organizational details you provide during account setup and onboarding.
• Provider Information: Names, NPIs, specialties, and credentials of healthcare providers associated with your practice account.
• Payment and Billing Information: When you subscribe to a paid plan, payment information (credit card number, billing address) is collected and processed directly by our payment processor, Stripe, Inc. We do not receive, store, or have access to your full credit card number. We receive only a tokenized reference, the last four digits of your card, card type, expiration date, and billing address for record-keeping purposes.
• Communications: When you contact us via email, contact forms, or other communication channels, we collect your name, email address, and the content of your messages.
• Business Associate Agreement Information: If your organization executes a Business Associate Agreement through our electronic signing process, we collect the signer's name, title, organization name, and organization address.

1.2 Protected Health Information (PHI)

In the course of providing the Service, you may submit Protected Health Information as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The handling of PHI is governed by our Business Associate Agreement and is subject to the protections described in Section 5 of this Privacy Policy. Categories of PHI that may be submitted through the Service include:

• Patient Identifiers: Patient name, date of birth, and insurance member ID. These identifiers are encrypted at rest using AES-256-GCM encryption and are never transmitted to third-party AI processing services.
• Clinical Documentation: Clinical notes, medical records, and other clinical documentation submitted for prior authorization analysis. Clinical note text is de-identified before being transmitted to the AI processing service and is processed in-memory only. See Section 5 for detailed information on our PHI processing methodology.
• Prior Authorization Request Data: Payer name, procedure codes (CPT/HCPCS), diagnosis codes (ICD-10), authorization status, urgency level, and dates associated with prior authorization requests.

1.3 Information Collected Automatically

When you access or use the Service, we automatically collect certain information about your device, usage patterns, and interactions with the Service. This information does not include PHI and is used solely for service operation, improvement, and security purposes.

• Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Usage Data: Pages visited within the Service, features used, actions performed (such as creating or updating prior authorization requests, running gap analyses, generating reports), timestamps, and session duration. This data is collected through our internal, first-party analytics system and does not include any clinical content or PHI. Tracked metadata includes only non-identifiable information such as payer name, procedure code category, analysis score ranges, and feature usage counts.
• Log Data: Server logs that record requests made to our Service, including the URL requested, HTTP method, response status code, referrer URL, and timestamp. Log data is automatically purged and does not contain clinical notes, patient names, or other PHI.

1.4 Information from Third-Party Sources

We may receive information about you from third-party sources, including:

• Single Sign-On Providers: If you authenticate using Google or Microsoft, we receive your name, email address, and profile image from the identity provider. We do not receive your password from these providers.
• Payment Processor: Stripe, Inc. provides us with transaction confirmations, subscription status, and limited billing information necessary to manage your account.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery and Operation

• To provide, operate, maintain, and improve the Service, including prior authorization documentation analysis, gap identification, denial prediction, appeal letter generation, and peer-to-peer preparation.
• To process and manage your account registration, authentication, and access controls.
• To process payments and manage your subscription through our payment processor.
• To provide customer support and respond to your inquiries.
• To enforce our Terms of Service and other applicable policies.

2.2 Service Improvement and Analytics

• To analyze de-identified, aggregated usage patterns to improve the Service's accuracy, performance, and user experience.
• To generate aggregated, de-identified analytics about prior authorization trends, payer behavior patterns, and denial rates to improve our intelligence engine. These analytics never contain PHI or individually identifiable patient information.
• To monitor the performance, reliability, and security of the Service.
• To identify and fix bugs, errors, and technical issues.

2.3 Communications

• To send you transactional communications related to your account, including account verification emails, password reset emails, subscription confirmations, and billing receipts.
• To send you service-related notifications, including prior authorization deadline alerts, status change notifications, and digest summaries.
• To send you product updates, feature announcements, and other informational communications about the Service. You may opt out of non-essential communications at any time through your account settings or by using the unsubscribe link in any email.

2.4 Security and Fraud Prevention

• To detect, prevent, and respond to fraud, unauthorized access, and other security threats.
• To verify user identity and enforce access controls.
• To monitor for suspicious activity and potential security breaches.

2.5 Legal Compliance

• To comply with applicable federal and state laws, regulations, and legal processes, including HIPAA, the HITECH Act, and state privacy laws.
• To respond to lawful requests from governmental authorities, including law enforcement and regulatory agencies.
• To establish, exercise, or defend legal claims.

3. How We Share Your Information

We do not sell, rent, or trade your personal information or PHI to third parties. We share information only in the following limited circumstances:

3.1 Service Providers and Sub-Processors

We engage a limited number of trusted third-party service providers to help us operate and deliver the Service. Each service provider that may have access to PHI has executed a HIPAA-compliant Business Associate Agreement with us. Our current service providers include:

3.2 Legal Requirements

We may disclose your information if required to do so by law, or in the good-faith belief that such disclosure is necessary to: (a) comply with a legal obligation, subpoena, court order, or governmental request; (b) protect and defend the rights or property of the Company; (c) prevent or investigate possible wrongdoing in connection with the Service; (d) protect the personal safety of users of the Service or the public; or (e) protect against legal liability. Any disclosure of PHI in response to legal process will be made in accordance with the HIPAA Rules, including the minimum necessary standard.

3.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, your personal information and PHI may be transferred as part of that transaction. In such event, we will notify you and ensure that the receiving entity is bound by obligations at least as protective as those set forth in this Privacy Policy and any applicable Business Associate Agreement, consistent with applicable law and the HIPAA Rules.

3.4 Aggregated and De-Identified Data

We may share aggregated, de-identified data that cannot reasonably be used to identify any individual patient or user. This includes aggregate statistics about prior authorization trends, payer approval rates, denial patterns, and documentation completeness metrics. De-identification is performed in accordance with the HIPAA Safe Harbor method (45 CFR 164.514(b)(2)), removing all 18 categories of identifiers specified in the regulation. Aggregated data may be used for industry benchmarking, published research, product improvement, and marketing purposes.

3.5 With Your Consent

We may share your information with third parties when you have given us your explicit consent to do so.

4. Cookies and Tracking Technologies

4.1 Cookies We Use

We use a minimal set of cookies that are strictly necessary for the operation of the Service. We do not use advertising cookies, behavioral tracking cookies, or third-party analytics cookies. The cookies we use include:

• Authentication Cookies: Session cookies set by Supabase to maintain your authenticated session after login. These cookies are essential for the Service to function and cannot be disabled. They are encrypted, httpOnly, and have the Secure flag set.
• Payment Cookies: Stripe may set cookies for fraud detection and payment processing when you interact with payment forms. These are strictly necessary cookies set by our payment processor.

4.2 No Third-Party Analytics or Advertising

We do not use any third-party analytics services (such as Google Analytics, Mixpanel, Amplitude, PostHog, or Segment), session recording tools (such as Hotjar, FullStory, or LogRocket), advertising networks, or error monitoring services (such as Sentry or Bugsnag) that would transmit user data to external parties. All analytics are collected through our own first-party, internal system and stored in our own HIPAA-compliant database. This design decision was made specifically to minimize the risk of PHI exposure to third parties and to simplify our HIPAA compliance posture.

4.3 Do Not Track

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because we do not use third-party tracking or advertising cookies, the Service already operates in a manner consistent with DNT signals. We do not track users across third-party websites or services.

5. Protected Health Information and HIPAA Compliance

This section describes our obligations and practices with respect to Protected Health Information under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations at 45 CFR Parts 160 and 164 (collectively, the "HIPAA Rules").

5.1 Business Associate Agreement Requirement

Use of the Service with PHI requires a separately executed Business Associate Agreement (BAA) between your organization (as Covered Entity) and Cai Systems LLC (as Business Associate). The BAA governs the permissible uses and disclosures of PHI, establishes safeguard requirements, and defines breach notification obligations. You must not submit PHI through the Service until a BAA has been executed by an authorized representative of your organization. The Service will prompt you to execute the BAA before you are permitted to access features that involve PHI submission.

5.2 PHI Processing Architecture

Our Service processes PHI using a privacy-by-design architecture that minimizes the exposure, retention, and transmission of identifiable health information. The processing flow is as follows:

1. Encryption at Rest: Patient identifiers (name, date of birth, insurance member ID) and clinical note text stored within prior authorization requests are encrypted using AES-256-GCM encryption before being written to the database. The encryption key is stored as an environment variable and is not accessible through the application interface or API. Encrypted data is decrypted only in server-side memory when accessed by an authenticated, authorized user within the same practice.
2. De-Identification Before AI Processing: Before clinical note text is transmitted to the AI analysis service (AWS Bedrock), the text is de-identified by programmatically removing patient names, provider names, dates of birth, insurance member IDs, and other identifiers. The de-identified text is then transmitted to the AI model via encrypted HTTPS connection.
3. In-Memory Processing: The AI model processes the de-identified clinical text entirely in-memory. The text is not stored, logged, persisted, cached, or retained by the AI model provider at any point during or after processing. AWS Bedrock does not use customer inputs or outputs to train or improve its models.
4. Non-PHI Output: The gap analysis output returned by the AI model contains only structured assessments of documentation completeness (such as "missing physical exam findings" or "no conservative treatment documented"). The output does not contain or reproduce the original clinical note text.
5. Audit Trail: A non-PHI audit record is created for each analysis, recording only the payer name, procedure code, analysis scores, gap counts, and timestamp. No clinical text, patient names, or other PHI is stored in the audit trail.

5.3 Administrative, Physical, and Technical Safeguards

In accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C), we implement the following categories of safeguards:

• Administrative Safeguards: Security management processes, workforce training, information access management, security incident procedures, contingency planning, and periodic evaluation of security practices.
• Technical Safeguards: Unique user identification and authentication, automatic session timeouts, encryption of PHI at rest (AES-256-GCM) and in transit (TLS 1.2+), row-level security policies in the database scoped by practice, audit logging of access events, and integrity controls to prevent unauthorized modification of PHI.
• Physical Safeguards: Our infrastructure is hosted by AWS, Supabase, and Vercel, each of which maintains SOC 2 Type II compliance and has executed HIPAA Business Associate Agreements. Physical security of data center facilities is the responsibility of these infrastructure providers under the terms of their respective BAAs.

5.4 Minimum Necessary Standard

We apply the minimum necessary standard to all uses and disclosures of PHI. Access to PHI within the Service is limited to authenticated users belonging to the same practice organization that created the data, enforced through database-level row-level security policies. No Kestrel employee or contractor has routine access to unencrypted PHI. Access to the encryption key and production database is restricted to authorized personnel on a need-to-know basis for system administration purposes only.

5.5 Breach Notification

In the event of a Breach of Unsecured PHI (as defined in 45 CFR 164.402), we will notify affected Covered Entities without unreasonable delay, and in no event later than thirty (30) calendar days after discovery of the Breach. Breach notifications will include, to the extent known: (a) identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed; (b) a description of the nature of the Breach; (c) a description of the types of Unsecured PHI involved; (d) the corrective actions taken; and (e) contact information for further inquiries. We maintain a breach response plan and conduct periodic breach risk assessments.

6. Data Retention

We retain your personal information and PHI for the periods described below, or as required by applicable law:

Upon account termination, we will delete your personal information and PHI in accordance with the retention periods above and the terms of our Business Associate Agreement. Given our encryption architecture, deletion of the practice-specific encryption context renders all encrypted PHI permanently unreadable even if database records persist during the deletion process.

7. Data Security

We implement commercially reasonable and industry-standard security measures to protect your personal information and PHI against unauthorized access, alteration, disclosure, or destruction. These measures include but are not limited to:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced to prevent protocol downgrade attacks.
• Encryption at Rest: PHI is encrypted using AES-256-GCM before storage in the database. The database itself is additionally encrypted at rest by the infrastructure provider.
• Access Controls: Multi-tenant data isolation is enforced through database-level row-level security (RLS) policies. Each practice can only access its own data. Authentication is required for all protected routes and API endpoints.
• Security Headers: The Service implements Content Security Policy (CSP), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers to protect against common web vulnerabilities.
• Input Validation: All API endpoints validate input using schema-based validation to prevent injection attacks and malformed data.
• Password Requirements: User passwords must be at least 12 characters and include uppercase letters, lowercase letters, and numbers. Passwords are hashed using bcrypt by our authentication provider and are never stored in plaintext.

While we strive to protect your information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly investigating and responding to any suspected security breach in accordance with our breach notification obligations under HIPAA and applicable state law.

8. Your Rights and Choices

8.1 Account Information

You may access, update, or correct your account information at any time through the Settings page within the Service. You may request deletion of your account by contacting us at privacy@caisystems.dev. Account deletion will be processed in accordance with the retention periods described in Section 6.

8.2 Communication Preferences

You may opt out of receiving non-essential communications (product updates, feature announcements) by updating your notification preferences in your account settings or by clicking the "unsubscribe" link in any marketing email. You cannot opt out of transactional communications necessary for service delivery, including billing receipts, security alerts, and account notifications.

8.3 Data Access and Portability

You may request a copy of the personal information and PHI we hold about your organization by contacting us at privacy@caisystems.dev. We will provide the requested information in a structured, commonly used, and machine-readable format (such as CSV or JSON) within thirty (30) days of receiving your verified request.

8.4 Data Correction

You may request correction of inaccurate or incomplete personal information by contacting us. With respect to PHI, you may update prior authorization request records directly within the Service or contact us for assistance.

8.5 Data Deletion

You may request deletion of your personal information by contacting us at privacy@caisystems.dev. We will honor your request subject to: (a) our legal obligation to retain certain records (including BAA execution records under HIPAA); (b) our legitimate business interests in maintaining de-identified, aggregated analytics; and (c) any outstanding contractual obligations.

8.6 HIPAA Individual Rights

To the extent applicable, and as specified in our Business Associate Agreement, we will cooperate with Covered Entities in fulfilling individual rights requests under HIPAA, including the right to access PHI (45 CFR 164.524), the right to amend PHI (45 CFR 164.526), and the right to an accounting of disclosures (45 CFR 164.528). Individuals should direct HIPAA rights requests to their Covered Entity (your healthcare organization), which will coordinate with us as necessary.

9. Links to Third-Party Websites and Services

The Service may contain links to third-party websites or services that are not owned or controlled by us, including the websites of our service providers, payer organizations, and professional associations. We are not responsible for the privacy practices of these third-party sites. We encourage you to review the privacy policies of any third-party site you visit. This Privacy Policy applies solely to information collected through our Service.

10. Children's Privacy

The Service is intended for use by healthcare professionals and authorized staff who are at least 18 years of age. We do not knowingly collect personal information from children under the age of 13, as defined under the Children's Online Privacy Protection Act ("COPPA"). If we learn that we have collected personal information from a child under 13, we will promptly delete such information. If you believe we may have inadvertently collected information from a child under 13, please contact us at privacy@caisystems.dev.

Note: The Service may process prior authorization requests that involve pediatric patients. Such processing is conducted on behalf of the Covered Entity (the healthcare organization) under the terms of the Business Associate Agreement and is not subject to COPPA, as it involves the processing of PHI by a Business Associate on behalf of a healthcare provider, not the direct collection of information from children.

11. Data Storage and International Transfers

The Service is hosted primarily in the United States. Our infrastructure providers (AWS, Supabase, Vercel) maintain data centers within the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where our servers are located and our central database is operated. The data protection laws of the United States may differ from those of your jurisdiction. By using the Service, you consent to the transfer of your information to the United States.

We do not currently offer data residency options outside the United States. If data residency requirements apply to your organization, please contact us to discuss whether the Service is suitable for your needs.

12. State-Specific Privacy Rights

12.1 California Residents (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"). These rights include the right to know what personal information we collect, use, and disclose; the right to delete personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information; and the right to non-discrimination for exercising your privacy rights. We do not sell or share personal information as defined under the CCPA/CPRA. To exercise your California privacy rights, contact us at privacy@caisystems.dev.

Note: PHI that is collected and maintained pursuant to HIPAA is exempt from the CCPA/CPRA to the extent that it is governed by HIPAA.

12.2 Nevada Residents

If you are a Nevada resident, you have the right to opt out of the sale of your personal information. We do not sell personal information as defined under Nevada law. If you wish to submit an opt-out request, please contact us at privacy@caisystems.dev.

12.3 Other State Privacy Laws

Several other states, including Virginia, Colorado, Connecticut, Utah, and others, have enacted comprehensive consumer privacy laws. If you are a resident of a state with such a law, you may have rights similar to those described for California residents above, including rights of access, correction, deletion, and data portability. To exercise any applicable rights, please contact us at privacy@caisystems.dev.

13. Artificial Intelligence Processing Disclosure

The Service utilizes artificial intelligence ("AI") and machine learning technology to analyze clinical documentation against payer-specific prior authorization requirements. We believe in transparency about how AI is used in the Service and provide the following disclosure:

• AI Model Provider: We use Anthropic's Claude language models, accessed through Amazon Web Services Bedrock, to perform clinical documentation analysis. AWS Bedrock is a HIPAA-eligible service, and Amazon Web Services has executed a Business Associate Agreement with us.
• No Model Training on Your Data: Clinical documentation submitted through the Service is NOT used to train, fine-tune, or improve any AI model. AWS Bedrock provides this guarantee contractually. Your clinical data is used solely for the purpose of generating a real-time analysis response.
• De-Identification: All clinical text is de-identified (patient names, DOB, member IDs, and provider names removed) before being transmitted to the AI model. The AI model never receives identifiable patient information.
• Advisory Output Only: AI analysis results are advisory only and do not constitute medical advice, a clinical recommendation, or a guarantee of any prior authorization outcome. All clinical decisions remain the sole responsibility of licensed healthcare providers.
• Human Oversight: The Service is designed to augment, not replace, human judgment. Users are expected to review AI-generated analyses and apply their professional expertise before making decisions based on the Service's output.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes to this Privacy Policy, we will: (a) update the "Last updated" date at the top of this page; (b) provide notice through the Service interface; and (c) where required by applicable law, send you an email notification. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated Privacy Policy. If you do not agree to the updated Privacy Policy, you must discontinue use of the Service.

We encourage you to periodically review this Privacy Policy to stay informed about how we collect, use, and protect your information. Prior versions of this Privacy Policy are available upon request.

15. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

If you are not satisfied with our response to your inquiry, you may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (for HIPAA-related matters) or your state attorney general's office (for state privacy law matters).