1. Introduction

HapPhi, Inc. ("HapPhi," "we," "us," or "our") is committed to protecting your privacy and the security of your information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the case1.ai platform and related services (the "Services").

As a provider of healthcare technology services, we handle Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act ("HIPAA"). This Privacy Policy describes our privacy practices in compliance with HIPAA, state privacy laws, and other applicable regulations.

Contact Information:
HapPhi, Inc.
Email: eb@happhi.com

2. Scope and Application

This Privacy Policy applies to:

• Information collected through the case1.ai platform (web and mobile applications)
• Information provided by our customers (healthcare providers, insurance carriers, TPAs, employers)
• Protected Health Information (PHI) processed on behalf of covered entities
• Information collected through our website and marketing communications

This Privacy Policy does not apply to third-party websites, applications, or services that may link to or from our Services. We encourage you to review the privacy policies of any third-party services you access.

4. Information We Collect

4.1 Protected Health Information (PHI)

When you use our Services, we collect PHI including:

• Patient Information: Name, date of birth, address, contact information, Social Security number
• Medical Information: Diagnoses, treatment plans, medical history, medications, test results, physician notes
• Claim Information: Injury details, employer information, insurance details, claim status, costs
• Communications: Messages between case managers and patients, video call recordings and transcripts
• Documents: Medical records, bills, injury reports, correspondence

4.2 Account and Authentication Information

To create and manage your account:

• Username and password
• Email address and phone number
• Organization name and role
• Professional credentials and licenses
• Multi-factor authentication credentials

4.3 Usage and Technical Information

We automatically collect technical information when you use the Services:

• IP address, browser type, and device information
• Operating system and application version
• Pages visited, features used, and time spent
• Click patterns and navigation paths
• Error logs and performance data
• Cookies and similar tracking technologies

4.4 Payment Information

For billing purposes, we collect payment card information, billing address, and transaction history. Payment information is processed by PCI-compliant third-party payment processors and is not stored on our servers.

5. How We Use Information

5.1 Service Delivery

• Provide case management and administrative services
• Process and manage workers' compensation claims
• Enable communication between case managers, patients, and providers
• Generate AI-powered recommendations and risk predictions
• Process documents and extract relevant information
• Facilitate video consultations and telehealth services

5.2 Platform Improvement and AI Development

• Improve AI algorithms and machine learning models using de-identified data
• Enhance user experience and platform functionality
• Conduct analytics and generate benchmarks
• Develop new features and services
• Monitor system performance and detect errors

5.3 Security and Compliance

• Detect and prevent fraud, unauthorized access, and security threats
• Maintain audit logs for compliance purposes
• Investigate security incidents and breaches
• Comply with legal obligations and regulatory requirements
• Enforce our Terms and Conditions

5.4 Communication

• Send service notifications and platform updates
• Respond to customer support inquiries
• Provide technical assistance and training
• Send administrative messages about your account

6. How We Share Information

6.1 Sharing PHI

We share PHI only in the following circumstances:

• With Your Covered Entity: Information is shared with your healthcare provider, insurance carrier, or employer as necessary for treatment, payment, and healthcare operations
• With Your Authorization: When you provide specific written consent
• With Service Providers: With third-party vendors who assist us in providing the Services (e.g., cloud hosting, data analytics) under strict BAAs and confidentiality agreements
• For Legal Compliance: When required by law, court order, subpoena, or government investigation
• To Prevent Harm: When necessary to prevent serious threat to health or safety

6.2 Third-Party Service Providers

We work with carefully selected third-party service providers who assist us in operating the Services:

• Cloud Infrastructure: Amazon Web Services (AWS) for HIPAA-compliant hosting
• Payment Processing: PCI-compliant payment processors
• Communication Services: Email and SMS delivery services under BAAs
• Analytics: Performance monitoring and error tracking services

All service providers who handle PHI sign Business Associate Agreements and are contractually required to maintain the confidentiality and security of your information.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you before your information is transferred and becomes subject to a different privacy policy.

8. Data Retention and Deletion

8.1 Retention Period

We retain PHI for as long as necessary to:

• Provide the Services to our customers
• Comply with legal and regulatory requirements (typically 6-7 years for medical records)
• Resolve disputes and enforce agreements
• Meet audit and compliance obligations

8.2 Data Deletion

Upon termination of Services or at Customer's request, we will:

• Provide a 90-day period for data retrieval
• Securely delete or return all PHI as directed by the covered entity
• Use NIST SP 800-88 compliant methods for media sanitization
• Provide written certification of data destruction upon request

8.3 De-Identified Data

We may retain de-identified data indefinitely for analytics, research, and service improvement. De-identified data is created in accordance with HIPAA standards (45 CFR § 164.514) and cannot be used to identify individuals.

9. Cookies and Tracking Technologies

9.1 Types of Cookies

We use cookies and similar technologies:

• Essential Cookies: Required for authentication, security, and basic functionality
• Performance Cookies: Help us understand how users interact with the Services
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Provide insights into usage patterns (anonymized)

9.2 Your Choices

You can control cookies through your browser settings. However, disabling essential cookies may affect the functionality of the Services. We do not use third-party advertising or tracking cookies within the platform where PHI is processed.

10. International Data Transfers

Our Services are primarily hosted in the United States. If you are accessing the Services from outside the U.S., your information may be transferred to, stored, and processed in the United States or other countries where we or our service providers operate.

For customers in the European Union, we comply with GDPR requirements for international data transfers, including:

• Standard Contractual Clauses approved by the European Commission
• Data residency options in EU regions (AWS Frankfurt)
• Data Processing Agreements that comply with GDPR Article 28

11. Children's Privacy

The Services are not directed to individuals under the age of 18, except when used to manage workers' compensation cases for injured minors (as permitted by law). We do not knowingly collect personal information from children without parental consent. If we become aware that we have collected information from a child without proper consent, we will delete it promptly.

12. State-Specific Privacy Rights

12.1 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information collected, used, or shared
• Right to Delete: Request deletion of personal information (subject to exceptions)
• Right to Opt-Out: Opt out of sale of personal information (we do not sell personal information)
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights
• Right to Correct: Request correction of inaccurate personal information

12.2 Virginia, Colorado, Connecticut, and Utah Residents

Residents of Virginia, Colorado, Connecticut, and Utah have similar rights under their respective state privacy laws.

12.3 Exercising Your Rights

To exercise any of these rights, please contact us at eb@happhi.com. We will respond to your request within the timeframe required by applicable law (typically 45 days). We may request additional information to verify your identity before processing your request.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email or through the Services
• Provide at least 30 days' notice before the changes take effect
• Obtain your consent if required by law

Your continued use of the Services after the effective date constitutes acceptance of the updated Privacy Policy.

14. Your Choices and Controls

14.1 Account Settings

You can update your account information, communication preferences, and privacy settings through your account dashboard.

14.2 Email Communications

You may opt out of marketing emails by clicking the "unsubscribe" link in our emails. You will continue to receive essential service notifications and administrative messages.

14.3 Access and Correction

You may request access to your personal information or request corrections by contacting us at eb@happhi.com.