Legal

Privacy Policy

Last updated: March 30, 2026

1. Introduction

CriteriaIQ ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our medical necessity analysis platform, including our Chrome extension and web platform (collectively, the "Service").

2. Information We Collect

Account Information

When you create an account we collect your name, email address, and facility information provided during registration or through Google OAuth.

Usage Data

We collect data about how you use the Service, including the number and type of analyses performed, timestamps, and feature usage. This data is used to enforce plan limits and improve the Service.

Patient Data (PHI)

The Service processes patient chart data from Kipu EMR to generate medical necessity documentation. This data is transmitted to our AI processing partner (Anthropic PBC) for analysis and is not stored on CriteriaIQ servers beyond what is necessary to complete the analysis. Users who are covered entities must execute a Business Associate Agreement (BAA) before processing PHI.

Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers or full payment details on our servers. We receive limited payment confirmation data from Stripe.

Technical Data

We may collect browser type, IP address, and other technical information for security and performance monitoring purposes.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Process transactions and manage subscriptions
  • Validate licenses and enforce plan limits
  • Send administrative communications including receipts and service updates
  • Respond to support requests
  • Monitor and improve the performance and security of the Service
  • Comply with legal obligations

4. How We Share Your Information

We do not sell your personal information. We may share information with:

  • Anthropic PBC — Our AI processing partner. Patient chart data is transmitted to Anthropic's Claude API for medical necessity analysis. We are actively pursuing a BAA with Anthropic.
  • Stripe — Payment processing. Stripe's privacy policy governs their use of payment data.
  • Service providers — Hosting, database, and infrastructure providers who process data on our behalf under confidentiality obligations.
  • Legal requirements — When required by law, court order, or governmental authority.

5. HIPAA and Protected Health Information

CriteriaIQ is designed for use by covered entities under HIPAA. We implement administrative, physical, and technical safeguards to protect PHI in accordance with HIPAA requirements. Users must execute a BAA with CriteriaIQ before processing real patient PHI. To request a BAA, visit criteriaiq.com/baa-request.

6. Data Retention

We retain account and usage data for the duration of your subscription and for a reasonable period thereafter for legal and business purposes. Patient chart data transmitted for analysis is not retained on our servers beyond the immediate processing session. Upon account termination, we will delete or return your data upon request in accordance with our BAA obligations.

7. Security

We implement industry-standard security measures including encrypted connections (HTTPS/TLS), access controls, and regular security monitoring. However, no method of transmission over the internet is 100% secure. We encourage you to use strong passwords and protect your account credentials.

8. Your Rights

Depending on your location, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your personal information
  • Object to or restrict our processing of your information
  • Data portability

To exercise these rights, contact us at support@criteriaiq.com.

9. Cookies

Our website uses essential cookies for authentication and session management. We do not use advertising or tracking cookies. You can control cookie settings through your browser.

10. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Your continued use of the Service after such notice constitutes your acceptance of the updated policy.

12. Contact Us

For questions about this Privacy Policy or our privacy practices:
CriteriaIQ
Email: support@criteriaiq.com
Phone: 786-252-3098