Privacy Policy

1. Introduction

ClearAuth AI ("ClearAuth," "we," "us," or "our") provides a cloud-based prior authorization management platform for healthcare practices. This Privacy Policy describes how we collect, use, disclose, and protect information when you visit our website (clearauthai.com), use our platform, or interact with our services.

By using ClearAuth AI, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our services.

2. Information We Collect

2a. Account Information

When you create an account or request a demo, we collect:

• Name, email address, phone number
• Practice name, NPI number, specialty
• Billing and payment information (processed securely by third-party payment processors)

2b. Protected Health Information (PHI)

To provide prior authorization services, your practice may submit patient information through our platform, including:

• Patient demographics (name, date of birth, address, insurance information)
• Diagnosis codes (ICD-10), procedure codes (CPT/HCPCS)
• Medication names, dosages, and prescribing information
• Clinical notes, lab results, and supporting documentation
• Insurance member IDs, group numbers, and payer information

All PHI is handled in strict accordance with the Health Insurance Portability and Accountability Act (HIPAA) and applicable state privacy laws. See our HIPAA Compliance page for details.

2c. Usage Information

We automatically collect certain information when you use our platform:

• IP address, browser type, device information
• Pages viewed, features used, actions taken within the platform
• Date and time of access, session duration
• Referring URLs

2d. Contact Form Submissions

When you submit a contact form or request a demo, we collect the information you provide (name, email, practice name, phone number, and message content).

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing Services: Processing prior authorizations, generating appeal letters, tracking PA status, and delivering platform features
• AI-Powered Features: Using clinical data you provide to auto-fill PA forms, search for relevant clinical guidelines, and generate evidence-based appeal letters
• Communications: Sending email notifications about PA status changes, account updates, and important announcements
• Platform Improvement: Analyzing anonymized, aggregated usage patterns to improve our product and features
• Customer Support: Responding to inquiries, troubleshooting, and providing technical assistance
• Compliance: Meeting legal obligations, including HIPAA requirements and audit logging

4. How We Share Your Information

We may share information only in the following limited circumstances:

• With Your Authorization: When you direct us to submit PAs or appeals to insurance payers on your behalf
• Service Providers: With trusted third-party vendors who help us operate our platform (e.g., cloud hosting, email delivery), all of whom are bound by Business Associate Agreements (BAAs) where required
• AI Processing: When generating appeal letters, anonymized clinical context may be processed through AI services (Anthropic). No patient identifiers are stored by AI service providers.
• Legal Requirements: When required by law, regulation, court order, or governmental authority
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users

5. Data Security

We implement comprehensive security measures to protect your data:

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access Controls: Role-based access control (RBAC) ensures users only access data relevant to their role
• Authentication: Secure authentication through Auth0 with support for multi-factor authentication (MFA)
• Audit Logging: All access to PHI is logged for compliance and security monitoring
• Infrastructure: Hosted on enterprise-grade cloud infrastructure with redundancy and disaster recovery
• Breach Response: We maintain a breach notification policy in compliance with HIPAA Breach Notification Rule requirements

6. Data Retention

We retain your information for as long as your account is active or as needed to provide services. Specifically:

• Account Data: Retained for the duration of your account plus 30 days after deletion request
• PHI: Retained in accordance with HIPAA requirements (minimum 6 years for compliance records) or as directed by your practice's data retention policies
• Audit Logs: Retained for a minimum of 6 years per HIPAA requirements
• Usage Data: Retained in anonymized, aggregated form for analytics purposes

7. Your Rights

You have the following rights regarding your information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate personal information
• Deletion: Request deletion of your account and associated data (subject to legal retention requirements)
• Data Portability: Request an export of your data in a standard format
• Opt-Out: Opt out of non-essential communications at any time

For PHI-related rights (access, amendment, accounting of disclosures), please refer to our HIPAA Compliance page.

8. Cookies and Tracking

Our platform uses essential cookies required for authentication and session management. We do not use third-party advertising cookies or tracking pixels. We do not share browsing data with advertisers.

9. Third-Party Services

Our platform integrates with the following categories of third-party services:

• Authentication: Auth0 (identity and access management)
• Cloud Hosting: Railway (application hosting)
• AI Services: Anthropic (appeal letter generation with clinical guideline search)
• Email: Gmail SMTP (transactional notifications)

Each third-party provider is evaluated for security and compliance. Where PHI may be involved, Business Associate Agreements are executed.

10. Children's Privacy

ClearAuth AI is designed for use by healthcare professionals and is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our platform and/or sending an email to the address associated with your account. Your continued use of ClearAuth AI after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy, your data, or our privacy practices, please contact us: