Effective Date: March 17, 2026  |  Last Updated: May 19, 2026

This Data & Privacy Policy ("Policy") describes how Provider Plexus, Inc. ("Provider Plexus," "Company," "we," "us," or "our") collects, uses, discloses, stores, and protects information when you use our products, services, applications, and platforms (collectively, the "Services"). This includes the Provider Plexus web application, browser extension, mobile application, telehealth patient portal, audio streaming and transcription services, and all associated APIs.

We understand that the data you entrust to us includes sensitive health information. We take this responsibility seriously and are committed to protecting your privacy in compliance with the Health Insurance Portability and Accountability Act ("HIPAA"), applicable state privacy laws, and industry best practices.

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: Name, email address, professional credentials, organizational affiliation, role, and login credentials when you create an account.
• Patient Demographics: Full name, date of birth, Social Security Number, phone number, mailing address, email address, driver's license number, and emergency contact information collected through the telehealth intake portal.
• Insurance Information: Payer name, member ID, group number, plan type, subscriber details, and policy information.
• Clinical Documentation: Medical notes, clinical encounter documentation, procedure details, and diagnostic information uploaded or entered into the Services.
• Audio Recordings: Voice recordings of clinical encounters captured through the ambient documentation features (browser extension and web application) with patient consent.
• Medical Imaging: DICOM files and other medical imaging uploaded through the Services.
• Medical History: Patient-reported medical history, medications, allergies, surgical history, and family medical history.
• Consent Records: Digital signatures and consent form completions for HIPAA authorization and telehealth consent.
• Payment Information: Credit or debit card information provided for payment processing (collected and stored exclusively by Stripe, Inc.; Provider Plexus does not store card numbers).
• Communications: Inquiries, support requests, and feedback submitted through the help form or email.

1.2 Information Collected Automatically

• Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Usage Data: Pages visited, features used, click patterns, session duration, timestamps, referral URLs, and navigation paths within the Services.
• Performance Data: Page load times, error logs, API response times, and service performance metrics.
• Authentication Events: Login timestamps, login methods (password, SSO, SMS one-time code), failed login attempts, and session activity.
• Cookies and Similar Technologies: Session cookies for authentication and security across all Services. Third-party fraud-prevention cookies set by Stripe during payment collection on the patient telehealth portal. Analytics cookies are used only on the provider-facing web application; the patient telehealth portal at providerplexus.com and the mobile application do not use analytics cookies (see Section 8).

1.3 Information Collected Through the Mobile Application

When you use the Provider Plexus mobile application (iOS), the following additional information may be collected:

• Device Identifiers: A unique device identifier (UUID) generated on first launch, used for authentication token management and push notification delivery. This identifier is not linked to hardware identifiers or advertising IDs.
• Device Information: Device operating system and version (e.g., "iOS 17.4"), used for session management and security logging.
• Biometric Authentication: The mobile app supports Face ID for secure login. Biometric data is processed entirely on-device by Apple's Local Authentication framework. Provider Plexus never receives, transmits, or stores your biometric data. Only a boolean preference indicating whether Face ID is enabled is stored.
• Push Notification Tokens: Firebase Cloud Messaging (FCM) tokens are collected to deliver push notifications for incoming consult requests and visit updates. FCM tokens are transmitted to Google's Firebase service solely for notification delivery.
• Profile Pictures: If you upload a profile picture, the image is compressed on-device and transmitted to our servers via HTTPS.
• Authentication Events: Login, logout, and biometric login events are logged with timestamps for security and audit purposes.
• Calendar Integration: If you connect a third-party calendar (Google, Outlook, or Apple Calendar) for schedule management, OAuth authorization codes are exchanged with the respective provider through our backend. Calendar data is used solely for availability management.

What the Mobile App Does Not Collect:

• No location data or GPS coordinates
• No contacts or address book data
• No advertising identifiers (IDFA) or cross-app tracking
• No browsing or search history
• No third-party analytics (no Mixpanel, Google Analytics, or similar services are used in the mobile app)

On-Device Security: All credentials and sensitive data stored locally on the device are encrypted using platform-provided secure storage (iOS Keychain). The app performs device integrity checks (jailbreak detection) locally; no device security data is transmitted to our servers. All API communication uses HTTPS with certificate pinning to prevent man-in-the-middle attacks.

1.4 Information from Third-Party Sources

• Electronic Health Records (EHR): Medical records, clinical data, lab results, and care summaries retrieved from EHR systems through authorized FHIR-based integrations and medical records services, with patient consent.
• Insurance Eligibility: Coverage status and benefit details obtained through eligibility verification services.
• NPI Registry: Provider information obtained from the National Provider Identifier registry for provider lookup features.
• SSO Providers: Authentication attributes provided by SAML or OIDC identity providers during single sign-on.

2. How We Use Information

2.1 Providing and Operating the Services

• Processing clinical documentation for medical code extraction (CPT, ICD-10, HCPCS) and E/M level analysis.
• Transcribing audio recordings and generating ambient clinical notes.
• Facilitating patient intake, insurance verification, and telehealth workflows.
• Processing payments and managing subscriptions.
• Retrieving and integrating medical records from connected EHR systems.
• Managing prior authorization requests and eligibility checks.

2.2 Security and Compliance

• Authenticating users, managing sessions, and enforcing access controls.
• Detecting, preventing, and responding to fraud, abuse, and security threats.
• Maintaining audit trails as required by HIPAA and other regulations.
• Monitoring for unauthorized access or PHI breaches.

2.3 Improvement and Analytics

• Analyzing usage patterns to improve the Services, user experience, and AI model performance.
• Generating aggregate, de-identified analytics and benchmarks.
• Conducting internal research and product development.

2.4 Communications

• Sending service-related notifications (account activity, security alerts, system updates).
• Responding to support requests and inquiries.
• Providing information about new features or service changes (you may opt out of non-essential communications).

2.4.1 Transactional Telehealth SMS and Mobile Opt-In

Provider Plexus uses SMS text messaging solely to deliver transactional service messages for account access, account security, telehealth intake, referral intake, visit access, appointment confirmations and reminders, provider-ready notices, waiting-room rejoin links, consult-status confirmations, insurance card capture links, lab status messages, order status messages, and lab purchase or download links. Patients and authorized users provide their mobile number during account registration, account-security setup, telehealth intake, referral intake, visit scheduling, or visit access flows. By entering your mobile number and checking the SMS consent box presented next to the mobile number field, you agree to receive transactional SMS messages from Provider Plexus about your telehealth access and visit.

The full consent language presented at opt-in reads: "I agree to receive transactional SMS messages from Provider Plexus about my telehealth access and visit. Provider Plexus sends transactional SMS messages only, including verification codes, intake or visit access links, appointment confirmations and reminders, provider-ready notices, waiting-room rejoin links, insurance card capture links, and lab or order status messages. Message frequency varies based on your activity and scheduled visits. Message and data rates may apply. Reply STOP to opt out or HELP for help. Consent is not a condition of purchase. Mobile opt-in information will not be shared with third parties or affiliates for marketing or promotional purposes."

• Message content: SMS messages are transactional service messages only. They may include one-time verification codes, telehealth intake links, visit access links, appointment confirmations and reminders, provider-ready notices, waiting-room rejoin links, referral intake links, consult-status confirmations, insurance card capture links, lab status messages, order status messages, and lab purchase or download links. They do not contain marketing or promotional content, age-gated content, or lending-related content.
• Message frequency: Frequency varies and depends on how often you request verification codes, receive referrals or visit links, schedule visits, wait for a provider, reconnect to a visit, complete intake tasks, or receive lab/order updates. You will not receive recurring or scheduled SMS marketing messages from Provider Plexus.
• Carrier charges: Message and data rates may apply according to your mobile carrier's plan. Provider Plexus does not charge you for transactional SMS messages.
• Opt-out (STOP): You may opt out at any time by replying STOP to any Provider Plexus SMS. Opting out will prevent Provider Plexus from sending you SMS messages; you may need to use an alternate verification or visit-access method to access your account or telehealth visit.
• Help (HELP): Reply HELP to any Provider Plexus SMS to receive support contact information, or contact support@providerplexus.com.
• Mobile-number non-sharing: Mobile information (including phone numbers collected for transactional SMS, opt-in records, and SMS consent metadata) will not be shared with third parties or affiliates for marketing or promotional purposes. This non-sharing commitment applies to all categories of mobile opt-in data and is not waived by any other provision of this Policy. We will only share your mobile number with our SMS aggregator and telecommunications providers (such as Twilio, Inc.) to the extent strictly necessary to deliver transactional SMS messages for your account or telehealth workflow.

2.5 Legal Compliance

• Complying with applicable laws, regulations, legal processes, or governmental requests.
• Enforcing our Terms of Service and other agreements.
• Protecting the rights, property, and safety of Provider Plexus, our users, and the public.

3. Protected Health Information (PHI)

3.1 HIPAA Compliance

When Provider Plexus processes PHI on behalf of a Covered Entity, we do so as a Business Associate under HIPAA. Our handling of PHI is governed by the applicable Business Associate Agreement (BAA) and the HIPAA Privacy, Security, and Breach Notification Rules.

3.2 Minimum Necessary Standard

We apply the HIPAA minimum necessary standard, accessing and processing only the minimum amount of PHI required to fulfill the specific purpose for which it was provided.

3.3 PHI Safeguards

PHI is subject to enhanced protections, including:

• Encryption at Rest: PHI is encrypted using AES-256 encryption via Google Cloud KMS with envelope encryption. Data Encryption Keys (DEKs) are managed with automated rotation and secure caching.
• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Field-Level Encryption: Sensitive fields (names, phone numbers, addresses, emails, SSN) are individually encrypted in the database using dedicated encrypted column types.
• PHI Redaction in Logs: Application logs are automatically filtered to prevent PHI from appearing in system logs, error reports, or debugging output.
• Access Controls: Role-based access controls, multi-tenant data isolation, and the principle of least privilege are enforced at the application, database, and infrastructure levels.
• Audit Logging: Comprehensive audit trails record access to and actions on PHI, including user identity, timestamp, and action type.

3.4 Breach Notification

In the event of a breach of unsecured PHI, Provider Plexus will notify the affected Covered Entity without unreasonable delay and no later than as required under HIPAA (currently 60 calendar days from discovery). We will cooperate with the Covered Entity in fulfilling its breach notification obligations to affected individuals and the U.S. Department of Health and Human Services (HHS).

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data

Provider Plexus does not sell, rent, or trade your personal information or PHI to third parties for marketing, advertising, or any other commercial purpose.

Mobile information (including phone numbers, SMS opt-in records, and SMS consent metadata) will not be shared with third parties or affiliates for marketing or promotional purposes. Mobile numbers collected for transactional SMS are used only to deliver account-access, account-security, telehealth intake, visit access, appointment, provider-ready, waiting-room rejoin, consult-status, insurance card capture, lab status, order status, and lab purchase or download messages and are shared exclusively with the telecommunications providers and SMS aggregators (such as Twilio, Inc.) that deliver those messages on our behalf.

4.2 Service Providers and Subcontractors

We share data with third-party service providers who assist in delivering the Services, subject to appropriate contractual and security safeguards:

• AI Processing: OpenAI, Azure OpenAI, and Google Cloud AI Platform process clinical text for code extraction, transcription, and note generation. These providers are bound by data processing agreements and, where processing PHI, by BAAs.
• Payment Processing: Stripe, Inc. processes payment transactions. Stripe is PCI DSS Level 1 certified. Provider Plexus does not receive or store your full card number.
• Cloud Infrastructure: Google Cloud Platform provides hosting, storage, computing, and key management services under a BAA.
• Medical Records: Third-party services facilitate EHR data retrieval under BAAs and FHIR interoperability standards.
• Video Conferencing: Daily.co provides the real-time video infrastructure for telehealth visits. During a video call, audio and video streams are transmitted through Daily.co's servers. Daily.co does not have access to patient medical records or PHI beyond what is communicated during the live video session.
• Push Notifications: Google Firebase Cloud Messaging (FCM) delivers push notifications to the mobile application. FCM receives device tokens and notification metadata; no PHI is included in push notification payloads.
• SMS Delivery: Twilio, Inc. delivers transactional SMS messages to your registered mobile number for account access, account security, telehealth intake, referral intake, visit access, appointment confirmations and reminders, provider-ready notices, waiting-room rejoin links, consult-status confirmations, insurance card capture links, lab status messages, order status messages, and lab purchase or download links. Twilio receives the mobile number and message payload solely to deliver the message. Twilio does not use your mobile number or opt-in information for marketing or promotional purposes, and Provider Plexus does not authorize any onward sharing of mobile opt-in data with third parties or affiliates for marketing or promotional purposes.
• Analytics: Mixpanel receives de-identified usage analytics data for product improvement purposes from the provider-facing web application at app.providerplexus.com. No PHI is transmitted to Mixpanel. The patient telehealth portal at providerplexus.com and the mobile application do not use Mixpanel or any third-party analytics service.
• Error Telemetry: Sentry, Inc. receives error reports and limited performance metrics from the web Services to diagnose technical issues. Sentry is configured with personal-data scrubbing enabled and session replay disabled. No PHI is transmitted to Sentry.

4.3 Legal Requirements

We may disclose information when we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request.
• Enforce our Terms of Service or investigate potential violations.
• Detect, prevent, or address fraud, security, or technical issues.
• Protect the rights, property, or safety of Provider Plexus, our users, patients, or the public.

4.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of the transaction. We will notify you of any such change and any choices you may have regarding your information.

4.5 With Your Consent

We may share information with third parties when you have given us explicit consent to do so.

5. Data Retention

5.1 Retention Periods

We retain information for as long as necessary to fulfill the purposes described in this Policy, comply with our legal obligations, and enforce our agreements:

• Account Information: Retained for the duration of your account and for a reasonable period thereafter for legal and operational purposes.
• Clinical Content and PHI: Retained in accordance with the applicable BAA and HIPAA requirements. Medical records are typically retained for a minimum of six (6) years from the date of creation or last effective date, or longer as required by applicable state law.
• Audio Recordings: Retained for the period specified in your subscription agreement or BAA. You may request earlier deletion subject to legal retention requirements.
• Usage and Analytics Data: Retained in de-identified or aggregated form for product improvement purposes.
• Consent Records: Retained for the period required by applicable law to demonstrate valid consent.
• Security and Audit Logs: Retained for a minimum of six (6) years as required by HIPAA.

5.2 Deletion

When data is no longer needed, it is securely deleted or de-identified using industry-standard methods. Encrypted data is rendered unrecoverable through cryptographic key destruction where applicable.

6. Your Rights and Choices

6.1 Access and Portability

You have the right to request access to the personal information we hold about you. Where technically feasible, we will provide your data in a structured, commonly used, machine-readable format.

6.2 Correction

You have the right to request correction of inaccurate or incomplete personal information. For PHI, amendment requests will be handled in accordance with HIPAA requirements.

6.3 Deletion

You may request deletion of your personal information, subject to our legal obligations to retain certain data (e.g., medical records retention requirements, audit logs, and legal holds).

6.4 Restriction of Processing

You may request that we restrict certain processing of your personal information in specific circumstances as permitted by applicable law.

6.5 Opt-Out of Communications

You may opt out of non-essential communications by following the unsubscribe instructions in our emails or by contacting us. You cannot opt out of essential service-related communications (e.g., security alerts, account notifications).

6.6 HIPAA Rights

If your information constitutes PHI, you may have additional rights under HIPAA, including the right to:

• Request an accounting of disclosures of your PHI.
• Request restrictions on certain uses and disclosures.
• Receive confidential communications through alternative means or at alternative locations.
• File a complaint with the HHS Office for Civil Rights if you believe your privacy rights have been violated.

To exercise these rights, please note that for PHI, requests should generally be directed to the healthcare provider (Covered Entity) who collected the information. The Covered Entity will coordinate with Provider Plexus as needed.

6.7 Exercising Your Rights

To exercise any of these rights, contact us at privacy@providerplexus.com. We will respond to verifiable requests within the timeframes required by applicable law (typically 30 days, with extensions available for complex requests).

7. Data Security

7.1 Technical Safeguards

• Encryption: AES-256 encryption at rest via Google Cloud KMS with envelope encryption; TLS 1.2+ for data in transit.
• Authentication: Secure password hashing, SMS-based two-factor authentication (one-time codes) for patients, SAML SSO and OAuth2/OIDC support for providers, and biometric authentication (Face ID) on mobile devices.
• Session Security: Short-lived JWT session tokens (4-hour expiry) scoped to the browser tab, strict Same-Origin request validation on unauthenticated endpoints, and strict Content-Security-Policy headers.
• Rate Limiting: Authentication and messaging endpoints are rate-limited to prevent brute-force and abuse.
• Account Lockout: Automatic account lockout after repeated failed login attempts.
• Content Security Policy: Strict CSP headers to prevent cross-site scripting and data injection attacks.
• Certificate Pinning: The mobile application uses public key pinning for all API communication, preventing man-in-the-middle attacks even if a device's certificate store is compromised.
• Device Integrity: The mobile application performs jailbreak and root detection checks to ensure it is running in a secure environment.

7.2 Administrative Safeguards

• Employee access to PHI is limited on a need-to-know basis.
• All personnel with access to PHI receive HIPAA training.
• Incident response procedures are in place for security events and potential breaches.
• Regular risk assessments are conducted as required by the HIPAA Security Rule.

7.3 Physical Safeguards

• The Services are hosted on Google Cloud Platform, which maintains SOC 2 Type II, ISO 27001, and HITRUST certifications.
• Data centers have physical access controls, environmental protections, and 24/7 monitoring.

7.4 Reporting Security Incidents

If you discover a security vulnerability or suspect a breach, please report it immediately to security@providerplexus.com. We investigate all reported incidents promptly.

8. Cookies and Tracking Technologies

8.1 Cookies We Use

Our cookie usage differs by Service. The table below describes every cookie category set across our properties.

• Essential Cookies (all web Services): First-party cookies required for authentication, session management, CSRF protection, and core functionality (for example, the Flask session cookie). These are exempt from consent under applicable law because the Services cannot function without them.
• Payment Cookies (patient telehealth portal only): When you reach the payment step of the intake flow at providerplexus.com, Stripe, Inc. sets two functional cookies (__stripe_mid and __stripe_sid) used solely for payment fraud prevention. These cookies do not track you across unrelated websites and are not used for advertising.
• Analytics Cookies (provider-facing web application only): Mixpanel collects de-identified usage analytics on app.providerplexus.com for product improvement. No PHI is transmitted to Mixpanel. The patient telehealth portal at providerplexus.com and the mobile application do not use Mixpanel or any third-party analytics service.
• Error Telemetry (all web Services): Sentry collects error reports and limited performance metrics to diagnose technical issues. Sentry is configured with personal-data scrubbing enabled and session replay disabled. No PHI is transmitted to Sentry.

8.2 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies will prevent you from using the Services. Disabling payment fraud-prevention cookies may cause Stripe to decline transactions. Disabling analytics or error-telemetry cookies will not affect core functionality.

8.3 Do Not Track

The Services do not currently respond to "Do Not Track" (DNT) browser signals due to the lack of an industry-wide standard for DNT implementation.

9. Children's Privacy

The Services are not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13 except as part of the telehealth intake process when a parent or legal guardian provides information on behalf of a minor patient. If we learn that we have collected personal information from a child under 13 without parental consent outside of the healthcare context, we will delete that information promptly.

10. State-Specific Privacy Rights

10.1 California (CCPA/CPRA)

If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination. Note that PHI handled under HIPAA is exempt from the CCPA. To exercise your CCPA rights, contact privacy@providerplexus.com.

10.2 Other State Laws

Residents of states with comprehensive privacy laws (including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and others) may have additional rights regarding their personal information. We will honor applicable rights under your state's privacy law. Contact privacy@providerplexus.com to exercise your rights.

11. International Data Transfers

The Services are hosted in the United States. If you access the Services from outside the United States, your information may be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Services, you consent to such transfers. Where required by applicable law, we implement appropriate safeguards (such as Standard Contractual Clauses) for cross-border data transfers.

12. Third-Party Links and Services

The Services may contain links to third-party websites or integrate with third-party services. This Policy does not apply to information collected by third parties. We encourage you to review the privacy policies of any third-party services you interact with through the Services.

13. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated Policy on the Services with a new effective date.
• Sending email notification to the address associated with your account for significant changes.

Your continued use of the Services after the effective date of any modification constitutes your acceptance of the updated Policy. We encourage you to review this Policy periodically.

14. Contact Information

If you have questions, concerns, or requests regarding this Policy or our data practices, contact us:

• Privacy Inquiries: privacy@providerplexus.com
• Security Issues: security@providerplexus.com
• General Legal: legal@providerplexus.com
• Support: support@providerplexus.com

If you believe your privacy rights have been violated, you also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at hhs.gov/ocr.