Privacy Policy

1. Introduction

Thank you for choosing to use the AskChart platform (“AskChart”), a product and service of Klarity Health, Inc., a Delaware corporation (“Company,” “we,” “us,” or “our”). AskChart is a product line of Klarity Health, Inc. — it is not a separate legal entity. All rights, obligations, representations, warranties, and liabilities described in this Privacy Policy are those of Klarity Health, Inc.

We are committed to protecting your personal information and your right to privacy.

This Privacy Policy describes how Klarity Health, Inc. collects, uses, discloses, and safeguards information when you use the AskChart platform and related services (collectively, the “Platform”). This Privacy Policy applies to healthcare providers, group practices, and their authorized users (“Provider,” “you,” or “your”) who access the Platform.

This Privacy Policy should be read in conjunction with the AskChart Platform Access and Services Agreement and the Business Associate Agreement (Exhibit A thereto), each of which is entered into with Klarity Health, Inc. as the contracting party.

If you have questions or concerns about this Privacy Policy, please contact us at compliance@helloklarity.com.

2. Information We Collect

2.1 Provider Account Information

We collect information you provide when you register for and use the Platform, including: name, professional credentials and license information, practice name and address, email address, phone number, National Provider Identifier (NPI), EHR system credentials (encrypted), payment and billing information, and professional biography.

2.2 Protected Health Information (PHI)

In the course of providing AI Services, the Platform processes Protected Health Information on your behalf, including: patient demographic information, clinical notes and medical records, appointment and scheduling data, insurance and billing information, patient communications, and prescription information. Our use and disclosure of PHI is governed by the Business Associate Agreement (Exhibit A to the Platform Access and Services Agreement) and applicable law, including HIPAA.

2.3 Platform Usage Data

We automatically collect certain information when you use the Platform, including: log data (access times, pages viewed, features used), device and browser information, IP address, workflow configurations and Automation settings, and AI interaction logs (queries submitted, outputs generated).

2.4 Information from Third-Party Systems

When you connect your EHR or other practice management systems to the Platform, we receive information from those systems as authorized by you and necessary to provide the AI Services.

3. How We Use Your Information

3.1 To Provide and Maintain the Platform

We use your information to operate the Platform and deliver the AI Services you have requested, including: executing Provider-approved Automations, processing EHR data to generate AI-assisted outputs, facilitating patient communications (in Draft Mode or Auto-Send Mode as selected by Provider), processing billing and insurance operations, and generating practice reports and analytics.

Patient Communication Modes. Providers control how the Platform handles patient communications through two modes: (a) Draft Mode — the AI generates draft messages for Provider review and manual approval before any communication is sent to a patient; and (b) Auto-Send Mode — the AI generates and sends approved categories of communications automatically on Provider’s behalf, subject to Provider-configured rules and parameters. Provider may switch between modes or configure specific communication types to use different modes. Provider is solely responsible for selecting the appropriate mode and reviewing Auto-Send rules. All patient communications, whether drafted or auto-sent, are treated as authorized uses of PHI under the Business Associate Agreement.

3.2 To Improve the Platform

We use de-identified and aggregated data to improve the Platform’s performance, develop new features, and conduct research. We do not use identifiable Protected Health Information to train general-purpose AI models. De-identification is performed in accordance with 45 CFR 164.514.

3.3 To Communicate with You

We use your contact information to send you service-related communications, including: account notifications, security alerts, product updates and new feature announcements, and billing and payment communications.

3.4 To Comply with Legal Obligations

We use your information as necessary to comply with applicable laws, regulations, legal processes, or governmental requests.

4. How We Share Your Information

4.1 With Your Authorization

We process and share PHI on your behalf as authorized under the Platform Access and Services Agreement and Business Associate Agreement.

4.2 Service Providers and Subcontractors

We share information with carefully selected third-party service providers who perform functions on our behalf, subject to written agreements containing terms no less protective than this Privacy Policy and the Business Associate Agreement. These providers include cloud infrastructure providers, AI processing services, payment processors, and analytics providers. A current list of subcontractors with access to PHI is available upon request at compliance@helloklarity.com. We will notify you of material changes to our subcontractor list at least thirty (30) days in advance.

4.3 Legal Requirements

We may disclose your information where required by law. When we receive a government or law enforcement request for Provider data or PHI, we will: (a) evaluate the legal validity and scope of the request; (b) attempt to narrow overly broad requests; (c) notify you of the request unless legally prohibited; and (d) disclose only the minimum information necessary. We maintain records of all government data requests and our responses, which are available to affected Providers upon request.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

5. AI-Specific Data Practices

5.1 AI Processing

The Platform uses artificial intelligence and machine learning technologies, including large language models (LLMs), to process your data and generate outputs. All third-party AI providers with access to PHI are bound by written agreements containing equivalent HIPAA protections. All PHI processed by AI systems is subject to the same safeguards as all other PHI under the Business Associate Agreement.

Important: AI-generated outputs may contain errors, inaccuracies, or omissions. AI is not a substitute for professional clinical judgment. All AI-generated outputs must be reviewed and approved by a licensed healthcare provider before clinical, administrative, or patient-facing use.

5.2 No Training on Identifiable PHI

We do not use identifiable Protected Health Information to train, develop, or improve general-purpose artificial intelligence models. Only data that has been de-identified in accordance with HIPAA standards (45 CFR 164.514) may be used to improve the Platform.

5.3 AI-Generated Outputs

AI-generated outputs that contain or are derived from PHI are treated as PHI for all purposes and are subject to the same protections under the Business Associate Agreement.

5.3A AI Output Non-Uniqueness

AI-generated outputs may not be unique. Due to the nature of machine learning and generative AI, similar or identical outputs may be generated for multiple Providers or users submitting similar inputs. The Platform does not guarantee the uniqueness, originality, or exclusivity of any AI-generated output.

5.4 Audit Logs

We maintain audit logs of all AI interactions involving Protected Health Information. Audit logs are retained for a minimum of six (6) years in accordance with HIPAA retention requirements. Logs are available to you upon request and will be provided within ten (10) business days in a standard export format (CSV or JSON).

5.5 Automated Workflows

When you configure and approve Automations through the Platform, those Automations are treated as authorized uses and disclosures of PHI. You may review, pause, modify, or revoke any Automation at any time through the Platform.

5.6 Automated Decision-Making

The Platform does not engage in decision-making based solely on automated processing that produces legal or similarly significant effects without human involvement. All clinical decisions require licensed Provider review and authorization. If you have questions about automated processing, contact us at compliance@helloklarity.com.

6. Data Security

We implement appropriate administrative, physical, and technical safeguards designed to protect the security, confidentiality, and integrity of your information, including PHI, in accordance with the HIPAA Security Rule (45 CFR 164.308-312) and industry best practices.

Technical Safeguards: Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent); multi-factor authentication (MFA) for all provider and administrative accounts; network segmentation and intrusion detection systems; regular vulnerability scanning and penetration testing.

Administrative Safeguards: Role-based access controls and principle of least privilege; annual security awareness training for all employees; background checks for personnel handling PHI; security incident response procedures; regular security risk analyses.

Third-Party Assurance: Klarity undergoes periodic security assessments to demonstrate compliance with HIPAA and industry security standards. Assessment reports are available upon request under NDA.

Vulnerability Disclosure: If you discover a security vulnerability in the AskChart platform, please report it to security@helloklarity.com.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

6A. Cookies and Tracking Technologies

The Platform does not currently use cookies or third-party tracking technologies for advertising or cross-site behavioral profiling. If we introduce cookies or analytics tools in the future, we will update this Privacy Policy and provide at least thirty (30) days’ notice before introducing any non-essential tracking technologies.

6B. Breach Notification

In the event of a Breach of Unsecured Protected Health Information (as defined under HIPAA), we will notify you within forty-eight (48) hours of discovery with a preliminary notice. A full written notification will be provided within sixty (60) calendar days of discovery, in accordance with the HIPAA Breach Notification Rule (45 CFR 164.404-414) and the Business Associate Agreement.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide you services. Upon termination, we will return or destroy PHI in accordance with the Business Associate Agreement, except as required by law.

After the applicable retention period, data is securely destroyed using industry-standard methods.

8. Your Rights

8.1 Access and Portability

You may request access to the information we hold about you. For PHI, access rights are governed by the Business Associate Agreement and HIPAA.

8.2 Correction

You may request correction of inaccurate information in your account. For PHI amendments, the process is governed by the Business Associate Agreement and HIPAA.

8.3 Deletion

You may request deletion of your account information, subject to our legal retention obligations. PHI deletion is governed by the Business Associate Agreement.

8.4 Automation Controls

You may review, modify, pause, or revoke any Automation at any time through the Platform.

8A. International Data Transfers

The Platform is currently hosted and operated within the United States. All data processing, including AI Services processing, occurs within the United States. If we expand our infrastructure to process data outside the United States in the future, we will update this Privacy Policy and provide at least thirty (30) days’ notice before any material change.

8B. No Sale of Personal Information

We do not sell personal information as defined under the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), or any other applicable state or federal privacy law. We do not share personal information for cross-context behavioral advertising. This commitment applies to all categories of personal information we collect.

9. State-Specific Rights

California (CCPA/CPRA). If you are a California resident, you may have additional rights including: the right to know what personal information we collect, use, and disclose; the right to request deletion; the right to correct inaccurate personal information; and the right to opt out of the sale or sharing of personal information (we do not sell or share personal information). We will not discriminate against you for exercising these rights.

Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), and other states. Residents of states with comprehensive privacy laws may have similar rights, including: access, correction, deletion, data portability, and the right to opt out of targeted advertising, profiling, and sale of personal data.

To exercise any state-specific rights, contact us at compliance@helloklarity.com. We will respond within the timeframes required by applicable law (typically 45 days).

9A. Children’s Privacy

The AskChart platform is designed for use by licensed healthcare providers and their authorized staff. The Platform is not directed at individuals under the age of eighteen (18), and we do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us at compliance@helloklarity.com.

9B. Account Inactivity

If your account remains inactive for twelve (12) consecutive months, we may classify your account as dormant. We will send notice at least sixty (60) days prior to any account action. If you do not respond or reactivate within that notice period, we may suspend or terminate your account and initiate data return or destruction procedures.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on the Platform and updating the “Last Updated” date. We will provide at least thirty (30) days’ notice of material changes.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Klarity Health, Inc.
Attn: Privacy and Compliance
1825 South Grant St, Suite 200
San Mateo, CA 94402
Email: compliance@helloklarity.com
Phone: (866) 391-3314