Privacy Policy

1. Information We Collect

1.1 Information You Provide

Account information: Name, email, and password — or, if using single sign-on, credentials from Google or Microsoft (we receive name, email, and profile image only; never your SSO password).

Organization information: Practice name, NPI, specialty, address, phone number.

Provider information: Provider names, NPIs, specialties.

Payment information: Processed by Stripe, Inc. We receive only a tokenized reference, last four digits, card type, expiration, and billing address. We never receive or store full card numbers.

Support communications: Content of messages you send us.

BAA execution data: Signer name, title, organization name, address, timestamp.

1.2 Protected Health Information (PHI)

PHI submitted through the Service is governed by our Business Associate Agreement.

Patient identifiers (name, DOB, member ID): Encrypted at rest (AES-256-GCM). Never transmitted to any third-party AI service in identifiable form.

Clinical documentation (notes submitted for PA analysis): De-identified before AI processing. Original encrypted text stored within the PA request record, accessible only to authorized users of your practice account. See Section 5 for full detail.

PA request data: Payer name, CPT/HCPCS codes, ICD-10 codes, authorization status, urgency, dates — associated with each PA request.

1.3 Information Collected Automatically

Device and session data: IP address, browser type and version, operating system, device type, language.

Usage data: Features used, actions performed, timestamps, session duration. Tracked as non-PHI metadata only (payer name, code categories, score range buckets, feature interaction counts). No raw clinical note text in usage data.

Server logs: Request logs (URL, HTTP method, response status, timestamp). Purged on a rolling basis. No PHI in logs.

1.4 From Third Parties

Google / Microsoft SSO: Name, email, profile image only.

Stripe: Transaction confirmation, subscription status, billing address.

2. How We Use Your Information

Deliver and operate the Service — Account data, practice data, PA request data.

Process payments and manage subscriptions — Billing data via Stripe.

Customer support — Account data, communication content.

Enforce Terms of Service and investigate violations — Usage data, API logs.

Improve Service accuracy and features — De-identified aggregated metadata (no PHI).

Develop network-level payer intelligence — De-identified aggregated metadata (opt-in; see Section 7).

Transactional communications — Email address (receipts, alerts, security notices).

Product updates and announcements — Email address (opt-out available).

Detect fraud and unauthorized access — Usage data, IP address, API logs.

HIPAA and legal compliance — PHI (under BAA only), account data.

We never use PHI for marketing, advertising, or any purpose outside the BAA.

3. How We Share Your Information

We do not sell, rent, or trade your personal information or PHI.

3.1 Service Providers

We share data with the following providers, each bound by data processing agreements. All providers with PHI access have executed HIPAA BAAs:

Amazon Web Services (Bedrock) — AI clinical analysis — De-identified clinical text only — BAA: Yes

Supabase — Database, authentication, storage — Account data, encrypted PHI, usage metadata — BAA: Yes

Vercel — Application hosting, CDN — Request routing, server-side processing — BAA: Yes

Stripe, Inc. — Payment processing — Billing info, subscription status (no PHI) — BAA: N/A

Resend — Transactional email — Email addresses, non-PHI content — BAA: N/A

We will update this table and notify users at least thirty (30) days in advance when sub-processors with PHI access change materially.

3.2 Legal Requirements

We may disclose information when required by law, court order, subpoena, or governmental authority. For any PHI disclosure in response to legal process, we comply with HIPAA's minimum necessary standard and notify Covered Entity to the extent permitted by law.

3.3 Business Transfers

In a merger, acquisition, or asset sale, your information may transfer to an acquiring entity, subject to equivalent privacy and HIPAA protections. We will notify you of any such transfer and your options.

3.4 De-Identified Aggregated Data

We may share aggregated, de-identified data — such as network-level payer denial rate statistics or CPT code approval benchmarks — in reports, research, or for product marketing. De-identification follows HIPAA Safe Harbor (45 CFR 164.514(b)(2)). This data cannot reasonably identify any individual patient, provider, or practice.

3.5 With Your Consent

We share with third parties only with your explicit prior consent, outside the circumstances above.

4. Cookies and Tracking Technologies

4.1 Cookies We Use

We use only strictly necessary cookies:

Authentication cookies: Session cookies set by Supabase to maintain your authenticated session. Required for the Service to function. Cannot be disabled without breaking authentication.

Payment security cookies: Set by Stripe when you interact with payment forms for fraud detection. Strictly necessary for payment processing.

4.2 No Third-Party Analytics or Advertising

We do not use third-party analytics services, session recording tools, error monitoring services, or advertising networks that transmit identifiable user data or PHI to external parties. All analytics are collected through our own first-party internal system stored in our HIPAA-compliant database. If we add any such external service in the future, we will update this Privacy Policy with at least thirty (30) days' advance notice before doing so.

4.3 Global Privacy Control

Because we do not use targeted advertising or third-party tracking, the Service is already consistent with Global Privacy Control (GPC) opt-out signals. We do not engage in data sale or targeted advertising.

5. PHI and HIPAA Compliance

5.1 BAA Required

PHI submission requires a separately executed BAA. Do not submit PHI before your BAA is executed.

5.2 Technical Architecture for PHI

1. Encryption at rest: PHI fields encrypted AES-256-GCM before database write. Encryption keys stored separately as environment variables, not exposed through the application or API.

2. Role-based access: PHI accessible only to authenticated, authorized users of the specific practice account that submitted it, enforced at the database layer through row-level security.

3. De-identification before AI: Patient identifiers programmatically removed from clinical text before transmission to AI processing. Notes that cannot be reliably de-identified are flagged for human review rather than automatically processed. A written De-Identification Methodology Document describes our process and is available on request.

4. In-memory AI processing: De-identified text processed in-memory by AWS Bedrock. Not stored or retained by the AI provider. Not used for model training.

5. Non-PHI output: Gap analysis results contain structured assessments only. They do not reproduce clinical note text.

6. Audit trail: Analysis records contain only payer name, procedure code, analysis scores, gap count, and timestamp. No PHI.

5.3 Security Measures

In transit — TLS 1.2+ with HSTS

At rest — AES-256-GCM PHI encryption; provider-level disk encryption

Access control — Row-level security; PKCE authentication; BAA gate before PHI access

Application — CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy headers

Credentials — bcrypt password hashing via Supabase Auth

Sub-processors — HIPAA BAA required for all PHI-touching providers

5.4 Minimum Necessary

PHI access is limited to authenticated users of the submitting practice, enforced at the database layer. No Company employee has routine access to unencrypted PHI. Access to production credentials and encryption keys is restricted to authorized system administrators and logged.

5.5 Breach Notification

If a Breach of Unsecured PHI occurs, we will notify affected Covered Entities without unreasonable delay and within thirty (30) calendar days of discovery, as detailed in the BAA. We maintain automated monitoring to detect potential Breaches promptly.

6. Data Retention

Account information (name, email, org) — Duration of account + 60 days post-closure

Encrypted PA requests containing PHI — Duration of account; deletion initiated within 30 days of account termination unless legal hold applies

Clinical note text (AI processing path) — Not retained; processed in-memory only

De-identified analysis metadata — Indefinite; no PHI; used for service improvement and payer intelligence

Usage/activity logs — Rolling 12 months; no PHI

Error logs — Rolling 90 days; PHI-sanitized before storage

Payment and billing records — As required by applicable tax/accounting law (typically 7 years)

BAA execution records — 6 years from execution date or last effect, per 45 CFR 164.530(j)

Security incident logs — 6 years, per HIPAA Security Rule documentation requirements

7. Network Intelligence and Your Data Choices

The Company uses de-identified aggregated analysis metadata — payer name, procedure code, gap result categories, scores, outcomes, never PHI — to improve the Service, develop payer intelligence that benefits all users, and train internal models.

This use is opt-in. During account setup, you will be presented with a separate checkbox: "I agree that de-identified, aggregated analysis data from my use may be used by Kestrel to improve the Service and develop network-level payer intelligence."

If you do not check this box, your usage data will not be incorporated into network-level models, benchmarks, or payer intelligence. You may access all features of the Service regardless. You may change this preference at any time in account settings under Privacy Preferences.

Retroactivity: If you opt out after previously having opted in, future usage data will not be incorporated into network-level models. Previously contributed de-identified aggregated metadata cannot be removed from existing models, because it has been aggregated and can no longer be traced to your individual account. This is consistent with HIPAA Safe Harbor de-identification standards and applicable privacy law exemptions for de-identified data. There is no personal data to delete because the data is not personally identifiable.

8. Your Privacy Rights

Access and correction: Update account information in Settings. Request a copy of personal information at legal@caisystems.dev.

Data portability: Request your personal data in CSV or JSON format within thirty (30) days.

Deletion: Request account deletion at legal@caisystems.dev, subject to legal retention obligations (BAA records, billing records). Deleted account data is purged per Section 6.

Opt out of marketing communications: Click "unsubscribe" in any marketing email, or update notification preferences in Settings. Transactional communications (receipts, security alerts, service notices, breach notifications) cannot be opted out of.

Network intelligence opt-out: Change your preference at any time in account Settings under Privacy Preferences.

HIPAA individual rights: Individual patient rights under HIPAA (access, amendment, accounting of disclosures) must be directed to your Covered Entity, which coordinates with us. Patients are not direct parties to this Policy.

9. AI Processing Disclosure

Model provider: Anthropic's Claude language models via AWS Bedrock, operating under a HIPAA-compliant BAA.

No model training on your data: Clinical data submitted through the Service — including de-identified text — is NOT used to train, fine-tune, or improve any AI model. AWS Bedrock contractually guarantees this. If this guarantee changes materially, we will update this Policy and notify affected users before the change takes effect.

De-identification: All clinical text is de-identified before transmission. The AI model never receives identifiable patient information. Notes that cannot be reliably de-identified are flagged for human review before processing.

Advisory only: AI Output is advisory. It does not constitute medical advice, clinical decision support, or a guarantee of any PA outcome. Human review is required before acting on any AI Output.

No patient interaction: Kestrel's AI systems are not designed for and must not be used for direct patient interaction.

Texas AI disclosure (TRAIGA / SB 1188): Texas healthcare practitioners subject to TRAIGA (effective January 1, 2026) or Texas SB 1188 are responsible for providing required AI use disclosures to patients and for personally reviewing all AI Output before making clinical or administrative decisions.

10. Children's Privacy

The Service is designed for users 18 and older. We do not knowingly collect personal information from children under 13. Contact legal@caisystems.dev immediately if you believe we have done so.

The Service may process PA requests for pediatric patients as PHI under the BAA. This processing is performed on behalf of the Covered Entity and is not subject to COPPA, which governs direct collection from children.

11. Data Location

The Service is hosted in the United States. AWS, Supabase, and Vercel maintain U.S.-based data centers. If you access from outside the U.S., your information may be transferred to and processed in the U.S. By using the Service you acknowledge and consent to this transfer. We do not offer data residency outside the U.S.

12. State Privacy Rights

Most U.S. comprehensive state privacy laws exempt PHI regulated by HIPAA from their requirements. As of March 2026, twenty states have comprehensive privacy laws in effect:

California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa, Indiana, Montana, Oregon, Texas (TDPSA), Tennessee, Minnesota, Maryland, New Jersey, Delaware, New Hampshire, Nebraska, Kentucky, Rhode Island (DTPPA), and Arkansas.

Key notes for Kestrel users:

PHI exemption: In all states listed, PHI processed under HIPAA by a Business Associate acting within the scope of HIPAA is exempt from the state law. Your clinical data submitted to Kestrel qualifies for this exemption.

Non-PHI personal data (account info, usage data): Subject to applicable state rights including access, correction, deletion, and portability. Exercise these rights at legal@caisystems.dev.

No data sale: We do not sell personal data under any state law definition. We do not engage in targeted advertising.

Texas TRAIGA: See Section 9 for AI-specific Texas obligations applicable to practitioners.

California CMIA: We address California's Confidentiality of Medical Information Act by obtaining explicit opt-in consent for network intelligence data use (see Section 7), treating health-related data with heightened care.

Rhode Island DTPPA (effective January 1, 2026): Our PHI processing as a HIPAA Business Associate is exempt under the DTPPA's HIPAA carve-out. Non-PHI personal data is handled consistent with the DTPPA's requirements, including data minimization and security obligations.

To exercise any state privacy right: legal@caisystems.dev. We respond within the applicable state law timeframe (generally 30-45 days).

13. Changes to This Policy

For non-material changes (corrections, clarifications), we post the updated Policy at kestrel.to/privacy with an updated date.

For material changes (changes to how PHI is handled, how data is shared, or to data retention periods), we will: (i) provide at least thirty (30) days' advance written email notice; and (ii) require in-app reacceptance before your next login following the change effective date.

Prior versions are available at kestrel.to/privacy/history upon request.

14. Contact

Cai Systems LLC All legal, HIPAA, compliance, and privacy inquiries: legal@caisystems.dev Product support: support@kestrel.to

Email is the Company's designated primary notice channel. The Company does not maintain a public physical mailing address for notice purposes. If physical delivery is required by law or court order, contact legal@caisystems.dev to obtain current mailing information.

If your privacy concern is not resolved, you may file a complaint with: HHS Office for Civil Rights (HIPAA) at hhs.gov/ocr, your state attorney general's office, or the California Privacy Protection Agency (CPPA, if California resident).