Privacy Policy

1. Two kinds of data — and which rules apply

Volari handles two distinct categories of data, governed by different rules:

• Protected Health Information (PHI) — claim and remittance data we process strictly as a business associate on behalf of a healthcare practice (our customer). PHI is governed by HIPAA, the California Confidentiality of Medical Information Act (CMIA), and the Business Associate Agreement (BAA) we sign with each customer — not by this Privacy Policy. Where this policy and the BAA conflict regarding PHI, the BAA controls.
• Other personal information — information we collect from website visitors, prospects, and customer contacts. That information is covered by this Privacy Policy.

The HIPAA/CCPA exemption applies to the PHI and medical information itself, not to Volari as a company. The personal information described in this Policy (website, marketing, and business-contact data) is not PHI and is subject to the CCPA/CPRA and other state privacy laws; this Policy governs it.

2. Personal information we collect (last 12 months)

We have collected the following categories of personal information (as defined by Cal. Civ. Code §1798.140), for the purposes and retention periods below. We do not sell or share any category.

• Identifiers (name, email, phone) — from you or business-data providers — to respond to inquiries, set up accounts, and conduct outreach. Retained for the duration of the relationship plus a limited period, then deleted or de-identified.
• Commercial information (practice/organization, service interest) — from you — to provide and support the Service. Same retention.
• Internet/network activity & approximate geolocation (pages viewed, referrer, IP-derived region, cookies) — automatically — for analytics and security. Retained ~13–24 months.
• Professional information (role, non-PHI practice details) — from you — for service provision. Same retention.

We do not collect sensitive personal information about website visitors or contacts for the purposes covered by this Policy, and we do not build inference profiles. (Counsel to confirm exact retention periods before publication.)

3. How we use it

We use this information to provide and improve the Service, respond to inquiries, support customer accounts, send relevant communications (which you can opt out of), secure our systems, and meet legal obligations — applying the minimum-necessary principle.

4. How PHI is handled (summary)

When we work your denials, we access only the minimum necessary claim and remittance data (e.g., EOB/835) — not your full charts; for an appeal that needs a clinical note, only that one note for that one claim. PHI is encrypted in transit and at rest using industry-standard encryption, and access is logged and monitored. We handle medical information in compliance with HIPAA and California's CMIA. The complete terms are in the BAA. See our Security & HIPAA page.

5. We do not sell or share your data

We do not sell or "share" (as those terms are defined under the CCPA/CPRA) personal information or PHI, for any purpose, and we do not disclose your information for cross-context behavioral advertising. Because we do not sell or share, and do not use sensitive personal information for any purpose requiring a right to limit, we do not provide a "Do Not Sell or Share My Personal Information" link or a "Limit the Use of My Sensitive Personal Information" mechanism. If this ever changes, we will update this Policy and provide those mechanisms before doing so.

6. We do not train AI on your data

We do not use customer PHI or customer-identifiable data to train, fine-tune, or improve any AI model — ours or a vendor's — and our AI subprocessors are contractually prohibited from training on your data.

De-identified data. We may create and use de-identified and aggregated data only to operate and secure the Service. We treat "de-identified" to the standard required by both HIPAA (45 C.F.R. § 164.514(b)) and the CCPA (Cal. Civ. Code § 1798.140(m)): we take reasonable measures to ensure the data cannot be associated with, or used to infer information about, you, any patient, any individual, or any household; we publicly commit to maintain and use such data only in de-identified form and not to attempt to re-identify it (except solely to validate our de-identification process); and we contractually obligate any recipient of the data to the same. We do not use de-identified or aggregated patient-derived data to build, train, or productize AI models or intelligence features. De-identified data is not personal information and is not "your data" for the no-training commitment above.

7. Subprocessors

We use a limited set of vendors to provide the Service (cloud hosting, our clearinghouse, AI model providers, delivery, and analytics). Every subprocessor that handles PHI is bound by a BAA and by no-sale and no-training obligations. Our current list is at /subprocessors; subscribe there for notice of material changes.

8. Retention

We retain personal information only as long as needed for the purposes above or as required by law, then delete or de-identify it. PHI retention and return/destruction are governed by the BAA.

9. Your California (CCPA/CPRA) rights

If you are a California resident, you have the right to: (1) know/access the categories and specific pieces of personal information we collected, the sources, and purposes; (2) delete personal information we collected from you, subject to exceptions; (3) correct inaccurate personal information; (4) data portability; (5) opt out of sale/sharing and (6) limit use of sensitive personal information (we do neither — see §5); and (7) non-discrimination for exercising any right.

How to exercise. Submit a request to privacy@volari.ai. We will acknowledge within 10 business days and respond within 45 days (extendable by 45 more with notice). We verify your identity by matching information you provide against our records before fulfilling access, deletion, or correction requests. You may use an authorized agent with your written permission (and identity verification for access/deletion).

HIPAA rights (access, amendment, accounting of disclosures) are held by patients and exercised through the healthcare provider (covered entity). As business associate, Volari supports the provider in fulfilling those requests as required by the BAA.

10. Other U.S. state privacy rights

Residents of Virginia, Colorado, Connecticut, Texas, Utah, Oregon, Montana, and other states with comprehensive privacy laws have rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, sale, and certain profiling. Volari does not sell personal data, engage in targeted advertising, or profile individuals to make decisions producing legal or similarly significant effects. To exercise rights, contact privacy@volari.ai; if we deny a request you may appeal by replying to our response, and we will respond within the time your state requires. We are implementing Global Privacy Control support; where it is enabled and legally required, we treat a GPC signal as a valid opt-out request.

11. Automated decision-making

Volari's AI is assistive: a qualified person at your practice reviews and approves outputs and makes all significant decisions. Volari does not use automated decision-making technology to make significant decisions about any individual without human involvement. If we adopt any such use, we will provide the notices and choices required by applicable law (including California's ADMT regulations).

12. Cookies & analytics

We use strictly-necessary and analytics cookies, including PostHog for product and website analytics, to operate and secure the site and understand how it is used. We do not use cookies for cross-context behavioral advertising and do not share cookie data with advertisers. You can control cookies through your browser. As noted above, we are implementing Global Privacy Control support and treat a GPC signal as an opt-out where it is enabled and applicable.

13. Security

We maintain administrative, physical, and technical safeguards appropriate to the data we handle, including encryption, access controls, and audit logging. No method of transmission or storage is perfectly secure; we work to protect your information and to notify affected parties of incidents as required by law (including Cal. Civ. Code §1798.82) and the BAA.

14. Changes & contact

We may update this Policy; material changes will be posted here with a new "last updated" date. Questions: privacy@volari.ai.