ClinivaAI legal
Cliniva AI Web Application Privacy Policy
Application policy for website access, authenticated portals, dashboards, hosted workflow tools, and customer-accessible application features.
Document details
Attorney review recommended. These policies are business/legal drafting aids tailored to the current Cliniva AI web application and should be reviewed by licensed counsel before publication, especially for healthcare, HIPAA, privacy, consumer protection, payment, and regulated-service issues.
1. Overview
This Privacy Policy explains how Cliniva AI LLC (“Cliniva AI,” “we,” “us,” or “our”) collects, uses, discloses, and protects information through our websites, web application, portals, dashboards, hosted workflow systems, support channels, and related services (the “Application”).
This Policy applies to website visitors, prospective customers, customer contacts, account administrators, clinic users, invited users, authorized staff, and other Application users. Customer contracts, BAAs, DPAs, and SOWs may provide additional or more specific rules for customer data, PHI, and regulated workflows.
2. Information We Collect
We may collect the following categories of information depending on how the Application is used:
- Account and identity information: name, email address, role, account, clinic, customer organization, invitation status, authentication status, and password or credential metadata. Passwords are stored in hashed form.
- Authentication and session information: session identifiers, hashed session tokens, pending OTP/enrollment data, sign-in events, invite acceptance records, timestamps, and security-related metadata.
- Business and customer information: organization name, business type, contact information, account details, billing status, plan information, implementation materials, notes, and support requests.
- Clinic and user-management data: accounts, clinics, memberships, roles, permissions, selected clinic context, invitations, admin actions, and audit events.
- Healthcare workflow and patient-related data: where enabled under an appropriate agreement, patient demographics, documents, appointments, tasks, coverage, medications, vitals, problem/allergy lists, clinical orders, encounters, notes, workflow statuses, and related clinic operational records.
- Workflow and automation data: intake, follow-up, document-routing, event-dashboard, queue, message, AI prompt/output, workflow configuration, and review-status information.
- Billing and payment-related information: plan name, plan code, status, billing interval, charge labels, invoice data, and payment-processing metadata. Full payment-card numbers are handled by payment processors when payment features are used.
- Communications: emails, form submissions, support messages, meeting notes, uploaded materials, feedback, and other communications with us.
- Device, log, and usage data: IP address, browser, device, pages viewed, referring URLs, timestamps, diagnostic logs, cookie data, and actions taken in the Application.
3. Protected Health Information and HIPAA
When Cliniva AI acts as a business associate or subcontractor, PHI is governed by a signed Business Associate Agreement and applicable service terms. PHI should not be submitted through public marketing pages, unsecured forms, or non-secure channels unless expressly authorized.
Customers are responsible for determining whether data is PHI, obtaining required patient authorizations or notices, assigning appropriate user roles, reviewing outputs, and using the Application in compliance with HIPAA and other healthcare laws. Cliniva AI uses PHI only as permitted by the applicable BAA, written agreements, and law.
4. Cookies and Similar Technologies
The Application may use cookies, local storage, session storage, and similar technologies for:
| Type | Purpose | Examples |
|---|---|---|
| Essential | authentication, session management, invite acceptance, security, CSRF protection, load balancing, and app operation | session cookies, pending OTP/enrollment cookies |
| Preference | remembering interface or workflow context | selected clinic or application preferences where enabled |
| Analytics / diagnostics | understanding usage, performance, errors, and security events | first-party logs or analytics tools if enabled |
| Marketing / online data partners | measuring campaigns, website referrals, visitor identification, business outreach, and advertising or marketing communications | online data partner or RB2B/Retention.com tracking if enabled |
You can control cookies through your browser. Disabling essential cookies may prevent the Application from working. Where required by law, non-essential analytics, marketing, or online data partner technologies should be controlled through our cookie banner or consent-management settings.
### Online Data Partner / RB2B Tracking If enabled on our public website or marketing pages, we may use RB2B, Retention.com, or similar online data partner technologies. When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email address. We or service providers on our behalf may then use this information to send communications and marketing to those email addresses.
You may opt out of this advertising by visiting https://app.retention.com/optout. If international company-level identification or GDPR-related identification features are enabled, you may also opt out of certain personal data collection by visiting https://www.rb2b.com/rb2b-gdpr-opt-out.
Cliniva AI does not intend to use marketing-identification technologies to collect PHI from patient portals, authenticated clinical workflows, or pages where visitors are instructed to submit protected health information. PHI handling remains governed by the applicable BAA and customer agreements.
5. How We Use Information
We use information to:
- provide, operate, secure, and maintain the Application;
- authenticate users, manage sessions, process invitations, and enforce role-based access;
- create and manage accounts, clinics, customer records, users, memberships, permissions, and audit logs;
- support healthcare workflow features where authorized;
- process customer requests, implementation tasks, support tickets, and service communications;
- provide AI-assisted workflow routing, summarization, classification, and automation features subject to human review;
- administer billing, plans, subscriptions, invoices, and payment processing;
- monitor performance, troubleshoot errors, prevent fraud, and detect security incidents;
- comply with legal, contractual, accounting, tax, audit, HIPAA, privacy, and security obligations;
- enforce agreements and protect our rights, users, customers, and services; and
- improve Application usability, reliability, security, and service offerings; and
- conduct marketing, business outreach, campaign measurement, and online data partner activities where enabled and legally permitted.
6. Legal Bases for Processing
Where GDPR or similar law applies, we rely on one or more of the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Account access, authentication, service delivery, billing, and support | Contractual necessity |
| Security monitoring, fraud prevention, diagnostics, service improvement, and administrative operations | Legitimate interests |
| HIPAA/healthcare, tax, accounting, legal response, and regulatory obligations | Legal obligation |
| Optional marketing, non-essential cookies, and certain communications | Consent where required |
| PHI processing as a business associate | Applicable BAA and customer instructions, plus legal obligations |
7. How We Share Information
We may share information with:
- Customer organizations and authorized administrators to manage their accounts, clinics, users, roles, workflows, billing, audit events, and data;
- Service providers such as cloud hosting, database, email, security, analytics, monitoring, payment, support, document, AI/API, and infrastructure providers;
- Online data partners and marketing vendors such as RB2B/Retention.com or similar providers, if enabled, to support website visitor identification, campaign measurement, business outreach, and advertising or marketing communications;
- Integration partners when a customer authorizes integrations with EHR/EMR, calendar, messaging, document, CRM, payment, or other systems;
- Professional advisors such as lawyers, accountants, auditors, insurers, and security consultants;
- Authorities or third parties when required by law, subpoena, court order, regulatory request, or to protect rights and safety;
- Business transaction parties in connection with a merger, financing, acquisition, reorganization, or sale of assets; and
- Others with consent or customer instruction.
We do not sell PHI. We do not sell personal information in the ordinary sense. If online data partner, advertising, or analytics activity constitutes “sale” or “sharing” under California law, we will provide required notices and opt-out mechanisms, which may include a “Do Not Sell or Share My Personal Information” link or similar control.
8. AI Providers and Model Processing
When AI-assisted features are enabled, information may be processed by AI model providers or infrastructure providers to generate workflow drafts, classifications, summaries, routing suggestions, or other outputs. Customer agreements may restrict which data can be sent to specific AI providers and whether data may be used for model training. Unless expressly stated in a signed agreement, users should not assume AI outputs are final, accurate, or appropriate without human review.
9. Data Retention
We retain information for as long as needed to provide the Application, maintain accounts, comply with agreements, resolve disputes, enforce terms, meet legal/tax/accounting/security obligations, preserve audit logs, maintain backups, and support customers. Typical retention categories include:
| Data Type | Typical Retention |
|---|---|
| Account and user records | duration of account access plus a reasonable administrative period |
| Sessions and authentication logs | as needed for security, troubleshooting, and audit purposes |
| Customer and clinic records | as directed by customer agreements and applicable law |
| PHI and clinical workflow records | as required by BAA, customer instructions, and healthcare law |
| Billing and transaction records | as required for accounting, tax, chargeback, and legal obligations |
| Support and communications | as needed for service history, legal, and operational needs |
| Backups and logs | retained according to backup, disaster recovery, and security practices |
10. Security
We use commercially reasonable technical and organizational safeguards designed to protect information, including role-based access controls, hashed credentials/session tokens, secure cookies, audit logs, encryption in transit where supported, limited access, and security monitoring. No system is perfectly secure. Users and customers must protect credentials, configure access appropriately, use secure devices, and promptly report suspected incidents.
11. Your Privacy Choices and Rights
Depending on your location and relationship to us, you may have rights to access, correct, delete, restrict, object to, or receive a copy of personal information, to withdraw consent where processing is based on consent, and to opt out of certain targeted advertising, sale, or sharing activities where required by law. Requests may be subject to identity verification, customer-admin approval, legal exceptions, BAA restrictions, retention obligations, and security limitations.
Authorized users seeking access to customer-controlled data should usually contact their organization’s administrator first. Privacy requests may be sent to privacy@clinivaai.com or legal@clinivaai.com. RB2B/Retention.com advertising opt-out requests may also be submitted at https://app.retention.com/optout, and GDPR-related RB2B opt-out requests, where applicable, may be submitted at https://www.rb2b.com/rb2b-gdpr-opt-out.
12. California Privacy Notice
California residents may have rights to know, access, correct, delete, and opt out of certain sale or sharing of personal information, including certain online data partner or targeted advertising activities where applicable, and to limit use of sensitive personal information where applicable. We do not discriminate for exercising privacy rights.
Categories of personal information we may collect include identifiers, professional or employment-related information, commercial information, internet or electronic network activity, account credentials, sensitive personal information where required for authorized services, and health-related information where covered by appropriate agreements. We collect and use these categories for the purposes described in this Policy.
13. International Users
Information may be processed in the United States and other countries where we or our providers operate. Where required, we use appropriate safeguards such as contractual commitments, data processing agreements, and customer instructions.
14. Children
The Application is not directed to children under 13, and we do not knowingly collect personal information from children through public websites. Healthcare customers are responsible for any lawful processing of minor patient information under their agreements and applicable law.
15. Changes to This Policy
We may update this Policy from time to time. The updated version will be posted with a new effective date. Material changes may also be communicated through the Application, email, or other reasonable notice.
16. Contact
Privacy questions or requests may be sent to privacy@clinivaai.com or legal@clinivaai.com.