1. INTRODUCTION
Thank you for choosing to use the AskChart platform ("AskChart"), a product and service of Klarity Health, Inc., a Delaware corporation ("Company," "we," "us," or "our"). AskChart is a product line of Klarity Health, Inc. — it is not a separate legal entity. All rights, obligations, representations, warranties, and liabilities described in this Privacy Policy are those of Klarity Health, Inc.
We are committed to protecting your personal information and your right to privacy.
This Privacy Policy describes how Klarity Health, Inc. collects, uses, discloses, and safeguards information when you use the AskChart platform and related services (collectively, the "Platform"). This Privacy Policy applies to healthcare providers, group practices, and their authorized users ("Provider," "you," or "your") who access the Platform.
This Privacy Policy should be read in conjunction with the AskChart Platform Access and Services Agreement and the Business Associate Agreement (Exhibit A thereto), each of which is entered into with Klarity Health, Inc. as the contracting party.
If you have questions or concerns about this Privacy Policy, please contact us at compliance@helloklarity.com.
2. INFORMATION WE COLLECT
2.1 Provider Account Information
We collect information you provide when you register for and use the Platform, including: name, professional credentials and license information, practice name and address, email address, phone number, National Provider Identifier (NPI), EHR system credentials (encrypted), payment and billing information, and professional biography.
2.2 Protected Health Information (PHI)
In the course of providing AI Services, the Platform processes Protected Health Information on your behalf, including: patient demographic information, clinical notes and medical records, appointment and scheduling data, insurance and billing information, patient communications, and prescription information. Our use and disclosure of PHI is governed by the Business Associate Agreement (Exhibit A to the Platform Access and Services Agreement) and applicable law, including HIPAA.
2.3 Platform Usage Data
We automatically collect certain information when you use the Platform, including: log data (access times, pages viewed, features used), device and browser information, IP address, workflow configurations and Automation settings, and AI interaction logs (queries submitted, outputs generated).
2.4 Information from Third-Party Systems
When you connect your EHR or other practice management systems to the Platform, we receive information from those systems as authorized by you and necessary to provide the AI Services.
3. HOW WE USE YOUR INFORMATION
3.1 To Provide and Maintain the Platform
We use your information to operate the Platform and deliver the AI Services you have requested, including: executing Provider-approved Automations, processing EHR data to generate AI-assisted outputs, facilitating patient communications (in Draft Mode or Auto-Send Mode as selected by Provider), processing billing and insurance operations, and generating practice reports and analytics.
Patient Communication Modes. Providers control how the Platform handles patient communications through two modes: (a) Draft Mode — the AI generates draft messages for Provider review and manual approval before any communication is sent to a patient; and (b) Auto-Send Mode — the AI generates and sends approved categories of communications automatically on Provider's behalf, subject to Provider-configured rules and parameters. Provider may switch between modes or configure specific communication types (e.g., appointment reminders, intake follow-ups) to use different modes. Provider is solely responsible for selecting the appropriate mode and reviewing Auto-Send rules. All patient communications, whether drafted or auto-sent, are treated as authorized uses of PHI under the Business Associate Agreement.
3.2 To Improve the Platform
We use de-identified and aggregated data to improve the Platform's performance, develop new features, and conduct research. We do not use identifiable Protected Health Information to train general-purpose AI models. De-identification is performed in accordance with 45 CFR 164.514.
3.3 To Communicate with You
We use your contact information to send you service-related communications, including: account notifications, security alerts, product updates and new feature announcements, and billing and payment communications.
3.4 To Comply with Legal Obligations
We use your information as necessary to comply with applicable laws, regulations, legal processes, or governmental requests.
4. HOW WE SHARE YOUR INFORMATION
4.1 With Your Authorization
We process and share PHI on your behalf as authorized under the Platform Access and Services Agreement and Business Associate Agreement.
4.2 Service Providers and Subcontractors
We share information with carefully selected third-party service providers who perform functions on our behalf, subject to written agreements containing terms no less protective than this Privacy Policy and the Business Associate Agreement. These providers include cloud infrastructure providers (for hosting and data storage), AI processing services (for large language model and machine learning processing), payment processors (for billing and payment handling), and analytics providers (for system monitoring and performance). A current list of subcontractors with access to PHI is available upon request at compliance@helloklarity.com. We will notify you of material changes to our subcontractor list at least thirty (30) days in advance.
4.3 Legal Requirements
We may disclose your information where required by law, including in response to a court order, subpoena, or other legal process, or if we believe disclosure is necessary to protect the rights, property, or safety of the Company, our users, or others. When we receive a government or law enforcement request for Provider data or PHI, we will: (a) evaluate the legal validity and scope of the request; (b) attempt to narrow overly broad requests to the minimum necessary; (c) notify you of the request, its scope, and our intended response, unless we are legally prohibited from doing so by a non-disclosure order; and (d) disclose only the minimum information necessary to comply. We maintain records of all government data requests and our responses, which are available to affected Providers upon request.
4.4 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your information.
5. AI-SPECIFIC DATA PRACTICES
5.1 AI Processing
The Platform uses artificial intelligence and machine learning technologies, including large language models (LLMs), to process your data and generate outputs. AI Services may be powered by Company-developed models, third-party AI providers (such as cloud-based LLM APIs), or a combination thereof. A current list of AI processing subcontractors is available upon request at compliance@helloklarity.com. All third-party AI providers with access to PHI are bound by written agreements containing equivalent HIPAA protections. All PHI processed by AI systems is subject to the same safeguards and protections as all other PHI under the Business Associate Agreement.
Important: AI-generated outputs may contain errors, inaccuracies, or omissions. AI is not a substitute for professional clinical judgment. All AI-generated outputs must be reviewed and approved by a licensed healthcare provider before clinical, administrative, or patient-facing use.
5.2 No Training on Identifiable PHI
We do not use identifiable Protected Health Information to train, develop, or improve general-purpose artificial intelligence models. Only data that has been de-identified in accordance with HIPAA standards (45 CFR 164.514) may be used to improve the Platform.
5.3 AI-Generated Outputs
AI-generated outputs that contain or are derived from PHI are treated as PHI for all purposes and are subject to the same protections under the Business Associate Agreement.
5.3A AI Output Non-Uniqueness
AI-generated outputs may not be unique. Due to the nature of machine learning and generative AI, similar or identical outputs may be generated for multiple Providers or users submitting similar inputs. The Platform does not guarantee the uniqueness, originality, or exclusivity of any AI-generated output. Provider should not rely on AI-generated outputs as unique work product without independent review and modification.
5.4 Audit Logs
We maintain audit logs of all AI interactions involving Protected Health Information, including timestamps, user identity, data elements accessed, AI model version, outputs generated, and processing outcomes. Audit logs are retained for a minimum of six (6) years in accordance with HIPAA retention requirements. Logs are available to you or your authorized representatives upon request and will be provided within ten (10) business days in a standard export format (CSV or JSON).
5.5 Automated Workflows
When you configure and approve Automations through the Platform, those Automations are treated as authorized uses and disclosures of PHI. This includes Automations operating in Auto-Send Mode for patient communications. You may review, pause, modify, or revoke any Automation at any time through the Platform, and you may switch any communication type between Draft Mode and Auto-Send Mode at any time.
5.6 Automated Decision-Making
The Platform does not engage in decision-making based solely on automated processing that produces legal or similarly significant effects on individuals without human involvement. All clinical decisions, treatment determinations, and patient care actions require licensed Provider review and authorization. Automations configured by Provider (including Auto-Send Mode communications) are treated as Provider-directed actions, not autonomous Platform decisions. If you have questions about how automated processing applies to your use of the Platform, contact us at compliance@helloklarity.com.
6. DATA SECURITY
We implement appropriate administrative, physical, and technical safeguards designed to protect the security, confidentiality, and integrity of your information, including PHI, in accordance with the HIPAA Security Rule (45 CFR 164.308-312) and industry best practices.
Technical Safeguards: Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent); multi-factor authentication (MFA) for all provider and administrative accounts; network segmentation and intrusion detection systems; regular vulnerability scanning and penetration testing.
Administrative Safeguards: Role-based access controls and principle of least privilege; annual security awareness training for all employees; background checks for personnel handling PHI; security incident response procedures; regular security risk analyses.
Third-Party Assurance: Klarity undergoes periodic security assessments to demonstrate compliance with HIPAA and industry security standards. Assessment reports are available upon request under NDA.
Vulnerability Disclosure: If you discover a security vulnerability in the AskChart platform, please report it to security@helloklarity.com.
No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.
6A. COOKIES AND TRACKING TECHNOLOGIES
The Platform does not currently use cookies or third-party tracking technologies for advertising or cross-site behavioral profiling. If we introduce cookies or analytics tools in the future, we will update this Privacy Policy to disclose: (a) the categories of cookies used (strictly necessary, functional, analytics, or marketing); (b) the specific third-party analytics providers involved; (c) how to manage or opt out of non-essential cookies; and (d) cookie retention periods. We will provide at least thirty (30) days' notice before introducing any non-essential tracking technologies.
6B. BREACH NOTIFICATION
In the event of a Breach of Unsecured Protected Health Information (as defined under HIPAA), we will notify you within forty-eight (48) hours of discovery with a preliminary notice describing the nature of the incident and our immediate containment measures. A full written notification, including the identity of affected individuals, scope of exposure, and recommended steps, will be provided within sixty (60) calendar days of discovery, in accordance with the HIPAA Breach Notification Rule (45 CFR 164.404-414) and the Business Associate Agreement. We will cooperate with you in fulfilling any obligations to notify affected individuals, the U.S. Department of Health and Human Services, and state attorneys general as required by law.
7. DATA RETENTION
We retain your information for as long as your account is active or as needed to provide you services. Upon termination, we will return or destroy PHI in accordance with the Business Associate Agreement, except as required by law. Specific retention periods by data type are as follows:
| Data Type | Retention Period |
|---|---|
| Protected Health Information (PHI) | Duration of Agreement, then returned or destroyed per BAA (30 days post-termination) |
| AI interaction logs and audit logs | 6 years from date of processing |
| Billing and financial records | 6 years from date of transaction |
| Provider Account Information | 6 years following termination |
| Platform Usage Data (logs, analytics) | 6 years following termination |
After the applicable retention period, data is securely destroyed using industry-standard methods. Data subject to a legal hold, regulatory investigation, or active dispute may be retained beyond these periods as required.
8. YOUR RIGHTS
8.1 Access and Portability
You may request access to the information we hold about you. For PHI, access rights are governed by the Business Associate Agreement and HIPAA.
8.2 Correction
You may request correction of inaccurate information in your account. For PHI amendments, the process is governed by the Business Associate Agreement and HIPAA.
8.3 Deletion
You may request deletion of your account information, subject to our legal retention obligations. PHI deletion is governed by the Business Associate Agreement.
8.4 Automation Controls
You may review, modify, pause, or revoke any Automation at any time through the Platform.
8A. INTERNATIONAL DATA TRANSFERS
The Platform is currently hosted and operated within the United States. All data processing, including AI Services processing, occurs within the United States. If we expand our infrastructure to process data outside the United States in the future, we will update this Privacy Policy to disclose: (a) the countries in which data is processed; (b) the legal mechanisms used to protect data transfers (such as Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms); (c) any additional safeguards implemented; and (d) how you may exercise your rights regarding international transfers. We will provide at least thirty (30) days' notice before any material change to data processing locations.
If you are located outside the United States and access the Platform, you acknowledge that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.
8B. NO SALE OF PERSONAL INFORMATION
We do not sell personal information as defined under the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), or any other applicable state or federal privacy law. We do not share personal information for cross-context behavioral advertising. We do not disclose personal information to third parties in exchange for monetary or other valuable consideration. This commitment applies to all categories of personal information we collect, including Provider Account Information, Platform Usage Data, and any information derived from your use of the Platform. If this practice ever changes, we will provide at least thirty (30) days' notice and obtain any consent required by law before any such sale or sharing occurs.
9. STATE-SPECIFIC RIGHTS
California (CCPA/CPRA). If you are a California resident, you may have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including: the right to know what personal information we collect, use, and disclose; the right to request deletion of your personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising); and the right to limit the use of sensitive personal information. We will not discriminate against you for exercising these rights.
Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), and other states. Residents of states with comprehensive privacy laws may have similar rights, including: the right to access, correct, and delete personal data; the right to data portability; the right to opt out of targeted advertising, profiling, and sale of personal data; and the right to appeal a denial of a privacy request.
To exercise any state-specific rights, contact us at compliance@helloklarity.com. We will respond to verified requests within the timeframes required by applicable law (typically 45 days, with extensions as permitted).
9A. CHILDREN'S PRIVACY
The AskChart platform is designed for use by licensed healthcare providers and their authorized staff. The Platform is not directed at individuals under the age of eighteen (18), and we do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us at compliance@helloklarity.com and we will promptly delete such information. Note: PHI of minor patients processed through the Platform on a Provider's behalf is governed by the Business Associate Agreement and HIPAA, not this section.
9B. ACCOUNT INACTIVITY
If your account remains inactive (no login, API call, or Automation execution) for a period of twelve (12) consecutive months, we may classify your account as dormant. Before taking any action, we will send notice to your registered email address at least sixty (60) days prior to any account action. If you do not respond or reactivate your account within that notice period, we may suspend or terminate your account and initiate data return or destruction procedures in accordance with the Business Associate Agreement and Section 7 (Data Retention) of this Privacy Policy. This provision does not override any data retention obligations required by HIPAA or applicable law.
10. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on the Platform and updating the "Last Updated" date. We will provide at least thirty (30) days' notice of material changes. Your continued use of the Platform after such notice constitutes acceptance of the updated Privacy Policy.
11. CONTACT US
If you have questions about this Privacy Policy or our data practices, please contact us at:
Klarity Health, Inc.Attn: Privacy and Compliance
1825 South Grant St, Suite 200
San Mateo, CA 94402
Email: compliance@helloklarity.com
Phone: (866) 391-3314