Privacy Policy
Effective Date: October 29, 2025
Last Modified: December 2, 2025
Cair Health, Inc. (“Cair,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our websites, sales and marketing activities, communications, support channels, software platform, and related services (collectively, the “Services”).
Cair provides an AI-powered revenue cycle management platform and related software and support services to healthcare providers, clinics, and other healthcare organizations. Cair’s Services may support medical insurance workflows, including claims processing, denials management, payer communications, coding and billing workflows, payment operations, documentation workflows, and revenue cycle optimization.
Cair is not a healthcare provider and does not provide medical advice, diagnosis, treatment, or care.
1. Scope of This Privacy Policy
This Privacy Policy applies to personal information we collect through our websites, demos, forms, emails, SMS/text communications, support channels, customer communications, software platform, integrations, and related Services.
Cair may process protected health information (“PHI”) on behalf of healthcare providers, clinics, covered entities, business associates, or other healthcare customers. When Cair creates, receives, maintains, or transmits PHI on behalf of a customer, Cair does so as a business associate or subcontractor under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”).
In those cases, Cair’s use and disclosure of PHI is governed by the applicable customer agreement, business associate agreement, subcontractor business associate agreement, applicable law, and the instructions of the customer. If there is a conflict between this Privacy Policy and an applicable business associate agreement with respect to PHI, the business associate agreement will control.
2. Information We Collect
We may collect personal information directly from you, from our customers, from healthcare systems or integrations, from service providers, and automatically when you use our websites or Services.
The categories of information we may collect include:
Contact and account information, such as name, email address, phone number, job title, organization name, login credentials, and account settings.
Professional and business information, such as role, employer, clinic or provider affiliation, National Provider Identifier where applicable, and information related to your use of the Services on behalf of a customer.
Health and revenue cycle information, including PHI, billing information, claims information, patient demographic information, insurance information, payment information, medical record information, coding documentation, provider documentation, payer communications, denials information, remittance information, and other information needed to provide the Services selected by our customers.
Integration and healthcare system information, including information received from or exchanged with electronic health record systems, practice management systems, clearinghouses, APIs, FHIR interfaces, HL7 messages, X12/EDI files, customer-provided files, and other healthcare or billing systems.
Payment and transaction information, such as billing contact information, payment status, transaction records, and related financial information.
Communications and support information, such as messages you send to us, support requests, call notes, feedback, survey responses, and records of communications with Cair.
Device, usage, and technical information, such as IP address, browser type, device identifiers, operating system, pages viewed, referring URLs, timestamps, log files, performance data, and information collected through cookies or similar technologies.
AI-generated or automated workflow information, such as claim classifications, coding suggestions, denial analyses, payer communication summaries, workflow recommendations, quality checks, and other outputs generated in connection with the Services.
3. How We Use Information
We use personal information to provide, operate, support, secure, and improve the Services. This may include using information to:
Provide our AI-powered revenue cycle management platform and related software and support services.
Support claims, coding, billing, payment, documentation, payer communication, denials management, workflow automation, account management, and related RCM functionality.
Create, manage, and authenticate user accounts.
Respond to questions, support requests, demos, and sales inquiries.
Communicate with customers and users about the Services, including operational, security, support, and administrative messages.
Process payments, invoices, and customer account administration.
Monitor, maintain, troubleshoot, and secure the Services.
Comply with customer agreements, business associate agreements, legal obligations, regulatory requirements, and lawful requests.
Protect the rights, safety, privacy, security, and property of Cair, our customers, users, patients, and others.
Develop, test, maintain, and improve the Services, subject to applicable customer agreements, business associate agreements, and law.
Where Cair processes PHI, Cair uses and discloses PHI only as permitted by the applicable customer agreement, business associate agreement, subcontractor business associate agreement, customer instructions, and applicable law.
4. HIPAA and PHI
When Cair processes PHI as a business associate or subcontractor, Cair is committed to handling PHI in accordance with HIPAA, applicable business associate agreements, customer instructions, and applicable law.
Cair uses and discloses PHI only as permitted by the applicable customer agreement, business associate agreement, subcontractor business associate agreement, or as required by law.
Cair applies the HIPAA “minimum necessary” standard where applicable. This means Cair seeks to limit access to and use of PHI to the minimum amount reasonably necessary to provide the Services, support customer workflows, maintain security, and comply with applicable obligations.
Patients and individuals should generally contact their healthcare provider, clinic, health plan, or other relevant healthcare organization directly to exercise HIPAA rights related to medical records or PHI, including requests for access, amendment, restrictions, or accounting of disclosures. Where required, Cair will assist its customers in responding to such requests in accordance with applicable agreements and law.
5. Artificial Intelligence and Automation
Cair uses artificial intelligence, machine learning, automation, and related technologies to provide and support the Services, including revenue cycle management, billing, coding, claims, denials management, payer communications, documentation, workflow automation, quality assurance, and related functionality.
Where Cair processes PHI or other customer data using AI or automation, Cair does so only as needed to provide, support, secure, maintain, and improve the Services as permitted by the applicable customer agreement, business associate agreement, subcontractor business associate agreement, customer instructions, and applicable law.
Cair does not use PHI to train general-purpose AI models or third-party foundation models except as expressly permitted by the applicable customer agreement, business associate agreement, or law.
6. How We Share Information
We may disclose personal information as described below:
With customers and authorized users. We may share information with the healthcare provider, clinic, or organization that uses the Services and with authorized users acting on that customer’s behalf.
With service providers and subcontractors. We may share information with vendors and service providers that help us operate our business and provide the Services, including hosting, infrastructure, security, communications, customer support, analytics, payment processing, AI processing, and professional services. Where required, Cair enters into business associate agreements or subcontractor business associate agreements with third parties that create, receive, maintain, or transmit PHI.
With healthcare systems and integrations. We may exchange information with EHRs, practice management systems, clearinghouses, payers, APIs, and other systems as needed to provide the Services and as authorized by our customers.
For legal and compliance purposes. We may disclose information when we believe it is necessary to comply with applicable law, legal process, regulatory obligations, court orders, subpoenas, or lawful government requests.
To protect rights and security. We may disclose information where we believe it is necessary to protect the rights, privacy, safety, security, or property of Cair, our customers, users, patients, or others.
In connection with business transactions. We may disclose information in connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction, subject to applicable legal and contractual protections.
With consent or direction. We may disclose information with your consent or at the direction of our customer, where permitted by law.
Cair does not sell PHI. Cair does not use PHI for targeted advertising.
7. Cookies, Analytics, and Similar Technologies
We may use cookies, pixels, log files, and similar technologies on our websites and Services for functionality, analytics, security, performance, and service improvement.
These technologies may collect information such as IP address, browser type, device information, pages viewed, referring URLs, and timestamps. We use this information to understand website usage, maintain security, improve performance, and support our business operations.
Cair does not knowingly use tracking technologies to collect PHI or to target advertising based on health information.
8. SMS, Email, and Communications
Cair may send emails, SMS/text messages, or other communications related to demos, inquiries, support, account administration, security, and the Services.
If you opt in to receive SMS/text messages from Cair, message and data rates may apply. You may opt out of SMS/text communications by replying STOP, where supported. We do not share mobile opt-in data or SMS consent with third parties for their marketing or promotional purposes.
Some communications are transactional or service-related and may be necessary to provide the Services. You may not be able to opt out of these operational communications while using the Services.
9. Data Retention
We retain personal information for as long as necessary to provide the Services, comply with customer contracts, business associate agreements, legal obligations, regulatory requirements, and legitimate business purposes.
Retention periods may vary depending on the type of information, the customer relationship, legal requirements, contractual obligations, and the nature of the Services. Where Cair processes PHI on behalf of a customer, retention and deletion may be governed by the applicable customer agreement, business associate agreement, customer instructions, and law.
10. Security
Cair uses reasonable administrative, technical, and physical safeguards designed to protect personal information and PHI from unauthorized access, use, disclosure, alteration, or destruction.
These safeguards may include access controls, authentication, encryption, audit logging, monitoring, workforce training, vendor management, incident response procedures, and other security measures appropriate to the nature of the information we process.
Cair maintains policies and procedures designed to support compliance with applicable HIPAA security requirements when Cair processes PHI as a business associate or subcontractor.
However, no system, network, or method of transmission over the internet is completely secure. We cannot guarantee the absolute security of information transmitted to or through the Services.
11. Incident Response and Breach Notification
Cair maintains incident response procedures designed to identify, investigate, contain, and remediate security incidents.
Where an incident involves PHI, Cair will notify affected customers as required by applicable business associate agreements, subcontractor business associate agreements, HIPAA, HITECH, and other applicable laws. Cair will cooperate with customers as reasonably required to support their legal and contractual obligations.
12. Your Privacy Choices and Rights
Depending on where you live and the type of information involved, you may have rights to request access to, correction of, deletion of, or restrictions on certain personal information. You may also have the right to object to certain processing or request a copy of certain personal information.
To make a privacy request, contact us at support@cairhealth.com.
If your request relates to PHI that Cair processes on behalf of a healthcare provider, clinic, health plan, or other customer, we may direct your request to that customer or assist the customer in responding as required by the applicable business associate agreement and law. Patients should contact their healthcare provider directly for requests relating to medical records or HIPAA rights.
13. California Privacy Rights
California residents may have additional privacy rights under California law, depending on how they interact with Cair and whether an exception applies.
California privacy laws may provide rights to know, access, correct, delete, or limit certain uses of personal information, and to opt out of certain sharing or sales of personal information. Certain PHI or medical information may be exempt from some California consumer privacy requirements when handled in accordance with HIPAA or other applicable medical privacy laws.
Cair does not sell PHI. Cair does not use PHI for targeted advertising.
Cair handles medical information subject to applicable California medical privacy laws, including the California Confidentiality of Medical Information Act where applicable.
To submit a California privacy request, contact us at support@cairhealth.com with “California Privacy Request” in the subject line.
14. U.S. Operations and International Access
Cair is based in the United States, and the Services are primarily designed for healthcare organizations operating in the United States.
If you access the Services from outside the United States, your information may be transferred to, stored in, or processed in the United States or other jurisdictions where Cair or its service providers operate. These jurisdictions may have privacy and data protection laws that differ from those in your location.
Where Cair processes PHI, Cair handles such information in accordance with applicable customer agreements, business associate agreements, customer instructions, and law.
15. Children’s Privacy
The Services are intended for use by healthcare providers, clinics, healthcare organizations, and authorized users. Cair does not knowingly collect personal information directly from children under 13 through its websites or sales channels.
Cair may process information about minors when provided by or on behalf of a healthcare customer as part of the Services. In those cases, Cair processes the information as a business associate or subcontractor, as permitted by the applicable customer agreement, business associate agreement, customer instructions, and law.
16. Third-Party Services and Integrations
The Services may include links to, integrations with, or data exchanges involving third-party services, systems, or platforms, including EHR systems, practice management systems, clearinghouses, payers, APIs, and other healthcare technology systems.
Third-party services are governed by their own terms and privacy policies. Cair is not responsible for the privacy practices of third-party services that are not acting as Cair’s service providers or subcontractors.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will update the “Last Modified” date above and may provide additional notice as required by law or contract.
For changes that materially affect PHI processing, Cair will provide notice or obtain agreement from customers where required by applicable customer agreements, business associate agreements, or law.
Your continued use of the Services after an updated Privacy Policy becomes effective means you acknowledge the updated Privacy Policy.
18. Contact Us
If you have questions about this Privacy Policy or Cair’s privacy practices, please contact us at:
Cair Health, Inc.
3533 La Mata Way
Palo Alto, CA 94306
Email: support@cairhealth.com
.png)
