Data & Privacy Policy

Effective Date: March 17, 2026  |  Last Updated: April 4, 2026

This Data & Privacy Policy ("Policy") describes how Provider Plexus, Inc. ("Provider Plexus," "Company," "we," "us," or "our") collects, uses, discloses, stores, and protects information when you use our products, services, applications, and platforms (collectively, the "Services"). This includes the Provider Plexus web application, browser extension, mobile application, telehealth patient portal, audio streaming and transcription services, and all associated APIs.

We understand that the data you entrust to us includes sensitive health information. We take this responsibility seriously and are committed to protecting your privacy in compliance with the Health Insurance Portability and Accountability Act ("HIPAA"), applicable state privacy laws, and industry best practices.

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: Name, email address, professional credentials, organizational affiliation, role, and login credentials when you create an account.
• Patient Demographics: Full name, date of birth, Social Security Number, phone number, mailing address, email address, driver's license number, and emergency contact information collected through the telehealth intake portal.
• Insurance Information: Payer name, member ID, group number, plan type, subscriber details, and policy information.
• Clinical Documentation: Medical notes, clinical encounter documentation, procedure details, and diagnostic information uploaded or entered into the Services.
• Audio Recordings: Voice recordings of clinical encounters captured through the ambient documentation features (browser extension and web application) with patient consent.
• Medical Imaging: DICOM files and other medical imaging uploaded through the Services.
• Medical History: Patient-reported medical history, medications, allergies, surgical history, and family medical history.
• Consent Records: Digital signatures and consent form completions for HIPAA authorization and telehealth consent.
• Payment Information: Credit or debit card information provided for payment processing (collected and stored exclusively by Stripe, Inc.; Provider Plexus does not store card numbers).
• Communications: Inquiries, support requests, and feedback submitted through the help form or email.

1.2 Information Collected Automatically

• Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Usage Data: Pages visited, features used, click patterns, session duration, timestamps, referral URLs, and navigation paths within the Services.
• Performance Data: Page load times, error logs, API response times, and service performance metrics.
• Authentication Events: Login timestamps, login methods (password, SSO, 2FA), failed login attempts, and session activity.
• Cookies and Similar Technologies: Session cookies for authentication and security, and analytics cookies for usage tracking (see Section 8).

1.3 Information Collected Through the Mobile Application

When you use the Provider Plexus mobile application (iOS), the following additional information may be collected:

• Device Identifiers: A unique device identifier (UUID) generated on first launch, used for authentication token management and push notification delivery. This identifier is not linked to hardware identifiers or advertising IDs.
• Device Information: Device operating system and version (e.g., "iOS 17.4"), used for session management and security logging.
• Biometric Authentication: The mobile app supports Face ID for secure login. Biometric data is processed entirely on-device by Apple's Local Authentication framework. Provider Plexus never receives, transmits, or stores your biometric data. Only a boolean preference indicating whether Face ID is enabled is stored.
• Push Notification Tokens: Firebase Cloud Messaging (FCM) tokens are collected to deliver push notifications for incoming consult requests and visit updates. FCM tokens are transmitted to Google's Firebase service solely for notification delivery.
• Profile Pictures: If you upload a profile picture, the image is compressed on-device and transmitted to our servers via HTTPS.
• Authentication Events: Login, logout, and biometric login events are logged with timestamps for security and audit purposes.
• Calendar Integration: If you connect a third-party calendar (Google, Outlook, or Apple Calendar) for schedule management, OAuth authorization codes are exchanged with the respective provider through our backend. Calendar data is used solely for availability management.

What the Mobile App Does Not Collect:

• No location data or GPS coordinates
• No contacts or address book data
• No advertising identifiers (IDFA) or cross-app tracking
• No browsing or search history
• No third-party analytics (no Mixpanel, Google Analytics, or similar services are used in the mobile app)

On-Device Security: All credentials and sensitive data stored locally on the device are encrypted using platform-provided secure storage (iOS Keychain). The app performs device integrity checks (jailbreak detection) locally; no device security data is transmitted to our servers. All API communication uses HTTPS with certificate pinning to prevent man-in-the-middle attacks.

1.4 Information from Third-Party Sources

• Electronic Health Records (EHR): Medical records, clinical data, lab results, and care summaries retrieved from EHR systems through authorized FHIR-based integrations and medical records services, with patient consent.
• Insurance Eligibility: Coverage status and benefit details obtained through eligibility verification services.
• NPI Registry: Provider information obtained from the National Provider Identifier registry for provider lookup features.
• SSO Providers: Authentication attributes provided by SAML or OIDC identity providers during single sign-on.

2. How We Use Information

2.1 Providing and Operating the Services

• Processing clinical documentation for medical code extraction (CPT, ICD-10, HCPCS) and E/M level analysis.
• Transcribing audio recordings and generating ambient clinical notes.
• Facilitating patient intake, insurance verification, and telehealth workflows.
• Processing payments and managing subscriptions.
• Retrieving and integrating medical records from connected EHR systems.
• Managing prior authorization requests and eligibility checks.

2.2 Security and Compliance

• Authenticating users, managing sessions, and enforcing access controls.
• Detecting, preventing, and responding to fraud, abuse, and security threats.
• Maintaining audit trails as required by HIPAA and other regulations.
• Monitoring for unauthorized access or PHI breaches.

2.3 Improvement and Analytics

• Analyzing usage patterns to improve the Services, user experience, and AI model performance.
• Generating aggregate, de-identified analytics and benchmarks.
• Conducting internal research and product development.

2.4 Communications

• Sending service-related notifications (account activity, security alerts, system updates).
• Responding to support requests and inquiries.
• Providing information about new features or service changes (you may opt out of non-essential communications).

2.5 Legal Compliance

• Complying with applicable laws, regulations, legal processes, or governmental requests.
• Enforcing our Terms of Service and other agreements.
• Protecting the rights, property, and safety of Provider Plexus, our users, and the public.

3. Protected Health Information (PHI)

3.1 HIPAA Compliance

When Provider Plexus processes PHI on behalf of a Covered Entity, we do so as a Business Associate under HIPAA. Our handling of PHI is governed by the applicable Business Associate Agreement (BAA) and the HIPAA Privacy, Security, and Breach Notification Rules.

3.2 Minimum Necessary Standard

We apply the HIPAA minimum necessary standard, accessing and processing only the minimum amount of PHI required to fulfill the specific purpose for which it was provided.

3.3 PHI Safeguards

PHI is subject to enhanced protections, including:

• Encryption at Rest: PHI is encrypted using AES-256 encryption via Google Cloud KMS with envelope encryption. Data Encryption Keys (DEKs) are managed with automated rotation and secure caching.
• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Field-Level Encryption: Sensitive fields (names, phone numbers, addresses, emails, SSN) are individually encrypted in the database using dedicated encrypted column types.
• PHI Redaction in Logs: Application logs are automatically filtered to prevent PHI from appearing in system logs, error reports, or debugging output.
• Access Controls: Role-based access controls, multi-tenant data isolation, and the principle of least privilege are enforced at the application, database, and infrastructure levels.
• Audit Logging: Comprehensive audit trails record access to and actions on PHI, including user identity, timestamp, and action type.

3.4 Breach Notification

In the event of a breach of unsecured PHI, Provider Plexus will notify the affected Covered Entity without unreasonable delay and no later than as required under HIPAA (currently 60 calendar days from discovery). We will cooperate with the Covered Entity in fulfilling its breach notification obligations to affected individuals and the U.S. Department of Health and Human Services (HHS).

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data

Provider Plexus does not sell, rent, or trade your personal information or PHI to third parties for marketing, advertising, or any other commercial purpose.

4.2 Service Providers and Subcontractors

We share data with third-party service providers who assist in delivering the Services, subject to appropriate contractual and security safeguards:

• AI Processing: OpenAI, Azure OpenAI, and Google Cloud AI Platform process clinical text for code extraction, transcription, and note generation. These providers are bound by data processing agreements and, where processing PHI, by BAAs.
• Payment Processing: Stripe, Inc. processes payment transactions. Stripe is PCI DSS Level 1 certified. Provider Plexus does not receive or store your full card number.
• Cloud Infrastructure: Google Cloud Platform provides hosting, storage, computing, and key management services under a BAA.
• Medical Records: Third-party services facilitate EHR data retrieval under BAAs and FHIR interoperability standards.
• Video Conferencing: Daily.co provides the real-time video infrastructure for telehealth visits. During a video call, audio and video streams are transmitted through Daily.co's servers. Daily.co does not have access to patient medical records or PHI beyond what is communicated during the live video session.
• Push Notifications: Google Firebase Cloud Messaging (FCM) delivers push notifications to the mobile application. FCM receives device tokens and notification metadata; no PHI is included in push notification payloads.
• Analytics: Mixpanel receives de-identified usage analytics data for product improvement purposes in the web application. No PHI is transmitted to Mixpanel. The mobile application does not use Mixpanel or any third-party analytics service.

4.3 Legal Requirements

We may disclose information when we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request.
• Enforce our Terms of Service or investigate potential violations.
• Detect, prevent, or address fraud, security, or technical issues.
• Protect the rights, property, or safety of Provider Plexus, our users, patients, or the public.

4.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of the transaction. We will notify you of any such change and any choices you may have regarding your information.

4.5 With Your Consent

We may share information with third parties when you have given us explicit consent to do so.

5. Data Retention

5.1 Retention Periods

We retain information for as long as necessary to fulfill the purposes described in this Policy, comply with our legal obligations, and enforce our agreements:

• Account Information: Retained for the duration of your account and for a reasonable period thereafter for legal and operational purposes.
• Clinical Content and PHI: Retained in accordance with the applicable BAA and HIPAA requirements. Medical records are typically retained for a minimum of six (6) years from the date of creation or last effective date, or longer as required by applicable state law.
• Audio Recordings: Retained for the period specified in your subscription agreement or BAA. You may request earlier deletion subject to legal retention requirements.
• Usage and Analytics Data: Retained in de-identified or aggregated form for product improvement purposes.
• Consent Records: Retained for the period required by applicable law to demonstrate valid consent.
• Security and Audit Logs: Retained for a minimum of six (6) years as required by HIPAA.

5.2 Deletion

When data is no longer needed, it is securely deleted or de-identified using industry-standard methods. Encrypted data is rendered unrecoverable through cryptographic key destruction where applicable.

6. Your Rights and Choices

6.1 Access and Portability

You have the right to request access to the personal information we hold about you. Where technically feasible, we will provide your data in a structured, commonly used, machine-readable format.

6.2 Correction

You have the right to request correction of inaccurate or incomplete personal information. For PHI, amendment requests will be handled in accordance with HIPAA requirements.

6.3 Deletion

You may request deletion of your personal information, subject to our legal obligations to retain certain data (e.g., medical records retention requirements, audit logs, and legal holds).

6.4 Restriction of Processing

You may request that we restrict certain processing of your personal information in specific circumstances as permitted by applicable law.

6.5 Opt-Out of Communications

You may opt out of non-essential communications by following the unsubscribe instructions in our emails or by contacting us. You cannot opt out of essential service-related communications (e.g., security alerts, account notifications).

6.6 HIPAA Rights

If your information constitutes PHI, you may have additional rights under HIPAA, including the right to:

• Request an accounting of disclosures of your PHI.
• Request restrictions on certain uses and disclosures.
• Receive confidential communications through alternative means or at alternative locations.
• File a complaint with the HHS Office for Civil Rights if you believe your privacy rights have been violated.

To exercise these rights, please note that for PHI, requests should generally be directed to the healthcare provider (Covered Entity) who collected the information. The Covered Entity will coordinate with Provider Plexus as needed.

6.7 Exercising Your Rights

To exercise any of these rights, contact us at privacy@providerplexus.com. We will respond to verifiable requests within the timeframes required by applicable law (typically 30 days, with extensions available for complex requests).

7. Data Security

7.1 Technical Safeguards

• Encryption: AES-256 encryption at rest via Google Cloud KMS with envelope encryption; TLS 1.2+ for data in transit.
• Authentication: Secure password hashing, two-factor authentication (TOTP), SAML SSO, OAuth2/OIDC support, and biometric authentication (Face ID) on mobile devices.
• Session Security: Server-side session management, configurable inactivity timeouts (HIPAA-compliant), CSRF protection, and secure cookie policies.
• Rate Limiting: Authentication endpoints are rate-limited to prevent brute-force attacks.
• Account Lockout: Automatic account lockout after repeated failed login attempts.
• Content Security Policy: Strict CSP headers to prevent cross-site scripting and data injection attacks.
• Certificate Pinning: The mobile application uses public key pinning for all API communication, preventing man-in-the-middle attacks even if a device's certificate store is compromised.
• Device Integrity: The mobile application performs jailbreak and root detection checks to ensure it is running in a secure environment.

7.2 Administrative Safeguards

• Employee access to PHI is limited on a need-to-know basis.
• All personnel with access to PHI receive HIPAA training.
• Incident response procedures are in place for security events and potential breaches.
• Regular risk assessments are conducted as required by the HIPAA Security Rule.

7.3 Physical Safeguards

• The Services are hosted on Google Cloud Platform, which maintains SOC 2 Type II, ISO 27001, and HITRUST certifications.
• Data centers have physical access controls, environmental protections, and 24/7 monitoring.

7.4 Reporting Security Incidents

If you discover a security vulnerability or suspect a breach, please report it immediately to security@providerplexus.com. We investigate all reported incidents promptly.

8. Cookies and Tracking Technologies

8.1 Cookies We Use

• Essential Cookies: Required for authentication, session management, CSRF protection, and core functionality. These cannot be disabled without breaking the Services.
• Analytics Cookies: Used by Mixpanel to collect de-identified usage data for product improvement. These do not track PHI.

8.2 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies will prevent you from using the Services. Disabling analytics cookies will not affect core functionality.

8.3 Do Not Track

The Services do not currently respond to "Do Not Track" (DNT) browser signals due to the lack of an industry-wide standard for DNT implementation.

9. Children's Privacy

The Services are not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13 except as part of the telehealth intake process when a parent or legal guardian provides information on behalf of a minor patient. If we learn that we have collected personal information from a child under 13 without parental consent outside of the healthcare context, we will delete that information promptly.

10. State-Specific Privacy Rights

10.1 California (CCPA/CPRA)

If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination. Note that PHI handled under HIPAA is exempt from the CCPA. To exercise your CCPA rights, contact privacy@providerplexus.com.

10.2 Other State Laws

Residents of states with comprehensive privacy laws (including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and others) may have additional rights regarding their personal information. We will honor applicable rights under your state's privacy law. Contact privacy@providerplexus.com to exercise your rights.

11. International Data Transfers

The Services are hosted in the United States. If you access the Services from outside the United States, your information may be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Services, you consent to such transfers. Where required by applicable law, we implement appropriate safeguards (such as Standard Contractual Clauses) for cross-border data transfers.

12. Third-Party Links and Services

The Services may contain links to third-party websites or integrate with third-party services. This Policy does not apply to information collected by third parties. We encourage you to review the privacy policies of any third-party services you interact with through the Services.

13. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated Policy on the Services with a new effective date.
• Sending email notification to the address associated with your account for significant changes.

Your continued use of the Services after the effective date of any modification constitutes your acceptance of the updated Policy. We encourage you to review this Policy periodically.

14. Contact Information

If you have questions, concerns, or requests regarding this Policy or our data practices, contact us:

• Privacy Inquiries: privacy@providerplexus.com
• Security Issues: security@providerplexus.com
• General Legal: legal@providerplexus.com
• Support: support@providerplexus.com

If you believe your privacy rights have been violated, you also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at hhs.gov/ocr.