Stonaris Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how Stonaris ("we," "us," or "our") collects, uses, discloses, and protects information when you use our denial management platform and related services (the "Service"). This Policy applies to all users of the Service, including healthcare practice administrators, billing staff, and other authorized users.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you use the Service on behalf of a practice or organization, you confirm that you have the authority to accept this Policy on behalf of that entity.

2. Information We Collect

Account Information: When you create an account, we collect your name, work email address, password (stored in hashed form), role, and practice affiliation.

Practice Information: We collect practice details including practice name, address, phone number, fax number, NPI number, tax identification number, specialty, billing contacts, provider credentials, and practice logo.

Claim and Denial Data: When you use the Service, we process denial information, claim details, payer correspondence, Explanation of Benefits (EOB) documents, Electronic Remittance Advice (ERA/835) files, appeal letters, clinical evidence, supporting documentation, and related workflow data. This data may include Protected Health Information (PHI) as defined by HIPAA.

Payment Information: Billing and payment information is collected and processed by our third-party payment processor, Stripe. We do not directly store credit card numbers or full payment account details on our servers. We receive and store limited billing identifiers (such as Stripe customer IDs and subscription status) necessary to manage your subscription.

Usage and Technical Data: We automatically collect technical information including IP addresses, browser type and version, device information, operating system, pages visited, features used, timestamps, referral URLs, and general interaction patterns. This data is used for security monitoring, service improvement, and operational analytics.

Communications: If you contact us for support or provide feedback, we collect the content of those communications along with associated metadata.

Signatures: During onboarding, we collect electronic signatures for Business Associate Agreement (BAA) execution. Signature images are stored securely and used for legal compliance purposes.

3. How We Use Information

We use the information we collect to: (a) provide, operate, maintain, and improve the Service, including denial analysis, appeal letter generation, peer-to-peer call preparation, workflow management, and analytics; (b) process transactions and manage your subscription; (c) communicate with you about your account, service updates, security alerts, and support requests; (d) detect, prevent, and address fraud, abuse, security incidents, and technical issues; (e) comply with legal obligations, including HIPAA requirements, tax regulations, and law enforcement requests; (f) enforce our Terms of Service and protect the rights, property, and safety of Stonaris, our users, and the public; and (g) generate aggregated, anonymized, and de-identified analytics for product improvement, benchmarking, and research.

We do NOT use your data, including PHI, to train artificial intelligence or machine learning models. AI models used by the Service are provided by third-party vendors and process your data only to generate outputs for your specific use within the Service.

We do NOT sell, rent, or trade your personal information or PHI to third parties for marketing or advertising purposes.

4. HIPAA Compliance and Protected Health Information

When we process PHI on behalf of Covered Entities or their Business Associates, we do so in our capacity as a Business Associate under HIPAA. Our processing of PHI is governed by the Business Associate Agreement (BAA) executed between you and Stonaris.

We implement administrative, technical, and physical safeguards designed to protect PHI in accordance with the HIPAA Security Rule, including: encryption of data in transit (TLS 1.2+) and at rest (AES-256); role-based access controls and authentication safeguards including multi-factor authentication; comprehensive audit logging of all access to PHI; regular access reviews and security monitoring; workforce training on HIPAA obligations; and incident response procedures.

We process PHI in accordance with the minimum necessary standard, limiting access to PHI to authorized personnel and systems required to provide the contracted service.

In the event of a breach of unsecured PHI, we will notify affected Covered Entities in accordance with HIPAA Breach Notification Rule requirements (45 CFR §§ 164.400-414) and as specified in the executed BAA, without unreasonable delay and no later than sixty (60) days following discovery of the breach.

5. Data Sharing and Third-Party Service Providers

We share information with third-party service providers ("subprocessors") only as necessary to operate and deliver the Service. All subprocessors are contractually obligated to protect data in accordance with applicable law and our security requirements. Current subprocessors include:

Google Cloud Platform (GCP): Cloud infrastructure hosting, data storage, and AI model processing (Vertex AI). Data is processed in the United States. BAA executed with Google Cloud.

Stripe: Subscription billing and payment processing. Stripe processes payment information in accordance with PCI DSS standards.

Voyage AI: Text embedding generation for document analysis and retrieval. Processes document content to generate vector representations.

SRFax: Secure fax transmission for appeal letter delivery to payers. Processes documents containing PHI for fax transmission.

Lob: Physical mail delivery for appeal letters and correspondence. Processes mailing addresses and document content.

Resend: Transactional email delivery for non-PHI system notifications only (account confirmations, password resets, billing notices). No PHI is transmitted via Resend.

Vapi: AI-powered voice call functionality for peer-to-peer call preparation and payer communication support.

We may update this list of subprocessors from time to time. Material changes to subprocessors that process PHI will be communicated to affected customers.

We may also disclose information: (a) to comply with applicable law, regulation, legal process, or governmental request; (b) to enforce our Terms of Service; (c) to protect the rights, property, or safety of Stonaris, our users, or the public; (d) in connection with a merger, acquisition, or sale of assets, in which case the acquiring entity will be bound by this Privacy Policy with respect to your data; or (e) with your consent.

6. Data Security

We take the security of your data seriously and implement industry-standard administrative, technical, and physical safeguards, including: encryption of all data in transit using TLS 1.2 or higher; encryption of stored data at rest using AES-256; role-based access controls with least-privilege principles; multi-factor authentication support; comprehensive audit logging and monitoring; regular security assessments and vulnerability scanning; and secure software development practices.

Despite our efforts, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the security of your account credentials and for any activity under your account.

7. Data Retention and Deletion

We retain your data for as long as necessary to provide the Service, comply with legal and contractual obligations, resolve disputes, and enforce our agreements.

Upon termination of your subscription, we retain Customer Data for thirty (30) days to allow you to request an export. After this period, Customer Data may be permanently deleted from our active systems.

Certain data may be retained beyond the standard retention period as required by: applicable law or regulation; HIPAA record retention requirements; ongoing legal proceedings or investigations; or legitimate business purposes such as maintaining audit trails.

You may request deletion of your account and associated data by contacting support@stonaris.com. We will process deletion requests in accordance with applicable law, our BAA obligations, and necessary retention requirements. Deletion from backup systems may take up to ninety (90) days.

8. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal information, including the right to: access the personal information we hold about you; correct inaccurate or incomplete information; request deletion of your personal information, subject to legal and contractual retention requirements; receive a copy of your data in a portable format; and object to or restrict certain processing activities.

To exercise any of these rights, contact us at support@stonaris.com. We may verify your identity and authority before processing requests. We will respond to verified requests within the timeframes required by applicable law.

Please note that certain rights may not apply to PHI governed by HIPAA. Requests related to PHI should be directed to the applicable Covered Entity (your healthcare practice), which controls the PHI and determines how such requests are handled.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.

Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share information.

Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.

Right to Correct: You have the right to request correction of inaccurate personal information.

Right to Opt-Out of Sale or Sharing: We do NOT sell or share personal information for cross-context behavioral advertising purposes. No opt-out action is required.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your California privacy rights, contact us at support@stonaris.com. Note: PHI processed pursuant to HIPAA is exempt from CCPA/CPRA requirements.

10. Cookies and Tracking Technologies

We use essential cookies and similar technologies to operate the Service, maintain your session, remember your preferences, and ensure security. These cookies are strictly necessary for the Service to function and cannot be disabled.

We may use analytics tools to collect usage data in aggregated form to understand how the Service is used and to improve performance. We do not use third-party advertising cookies or tracking pixels.

Most web browsers allow you to manage cookie preferences through browser settings. Disabling essential cookies may impair your ability to use the Service.

We do not respond to Do Not Track (DNT) browser signals, as there is no industry-standard method for honoring DNT in the context of B2B SaaS applications. Our data practices are the same regardless of DNT settings.

11. AI and Data Processing

The Service uses artificial intelligence (AI) and machine learning technologies, including large language models provided by third-party vendors, to analyze denial information and generate workflow outputs such as appeal letters, clinical summaries, and talking points.

When AI features are used, relevant data (which may include PHI) is transmitted to our AI infrastructure provider (Google Cloud Platform Vertex AI) for processing. This processing occurs within the United States and is subject to our BAA with Google Cloud.

We do NOT use Customer Data, including PHI, to train, fine-tune, or improve AI or machine learning models. Your data is processed solely to generate outputs for your specific use and is not retained by AI model providers for training purposes.

AI-generated outputs are provided for reference and workflow support only. They may contain errors or inaccuracies and must be reviewed by qualified professionals before use.

12. Children's Privacy

The Service is designed for use by healthcare professionals and business users. It is not directed at and is not intended for use by individuals under the age of thirteen (13). We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly.

13. Data Processing Location

The Service is hosted and operated in the United States. Your data, including PHI, is stored and processed within the United States on Google Cloud Platform infrastructure. By using the Service, you consent to the transfer, storage, and processing of your data in the United States.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by email or by posting a prominent notice within the Service at least thirty (30) days before the changes take effect.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. We encourage you to review this Policy periodically.

The "Last updated" date at the top of this page indicates when this Policy was most recently revised.

15. Contact Us

For questions about this Privacy Policy, data protection practices, BAA requests, or to exercise your privacy rights, contact us at:

Email: support@stonaris.com

We will respond to all inquiries within a reasonable timeframe and in accordance with applicable legal requirements.