Privacy Policy

Last updated: March 31, 2026

Calypta Systems, Inc. ("Calypta," "we," "us," or "our") operates the Calypta Health platform. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our website and services.

Calypta Health offers two ways to access health guides: public guides available directly on our website, and partner-sponsored passes shared by clinicians and health organizations. These access modes have different privacy characteristics, described below.

1. Information We Collect

Public Guide Users

When you use a public health guide on our website and choose to start a conversation, we collect:

  • Your verified email address (provided at the email verification step before chat access)
  • Survey responses
  • Chat conversation content (with automatic PII redaction — see Section 3)
  • Flow activity metadata (cards viewed, completion status, timestamps)
  • IP address and user agent (for security and abuse prevention)

Calypta can link your verified email address to the conversation you start. We use this link for verification, session resume, abuse prevention, and support. Your email address is not sent to AI model providers.

We use a browser cookie and local storage to maintain your session. The cookie is scoped to your specific session, is not used for tracking or advertising, and expires when the session ends or after 30 days.

Browsing the guide content (cards, surveys) does not require an email or account. Email verification is only required to access the AI-powered conversation.

Partner Accounts

When you create an account to share Calypta flows with patients or members ("Partner Account"), we collect:

  • Your name and work email address
  • Your professional role
  • Health topics you're interested in
  • Login timestamps and IP addresses (for security purposes)

Pass Recipients (Default Mode)

When someone uses a partner-sponsored pass to access a flow, Calypta is intentionally designed to minimize or avoid linking the pass recipient's identity to their flow interaction data. We collect:

  • Survey responses (not linked to any individual)
  • Chat conversation content (de-identified, with PII automatically redacted)
  • Session metadata (timestamps, flow completion status)

Session continuity is maintained through a browser cookie scoped to the specific session. The cookie is not used for tracking or advertising and expires when the session ends or after 30 days.

Pass Recipients (Enterprise Mode)

Some organizations choose to operate in enterprise mode under a Business Associate Agreement. In this mode, with recipient consent, we may additionally collect:

  • Information linking a pass to a specific recipient
  • Full conversation transcripts (without PII redaction)
  • Additional identifiers provided by the sponsoring organization

Enterprise mode data is handled in accordance with HIPAA requirements and the terms of our Business Associate Agreement with the sponsoring organization. Recipients may opt out of data sharing even in enterprise mode.

Website Visitors

When you visit our marketing website, we may collect basic analytics data (pages viewed, referral source) to improve our services.

2. How We Use Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Authenticate Partner Account holders
  • Verify email addresses for public guide chat access
  • Enable users to resume active sessions within the session period
  • Manage funded conversation capacity for public guides
  • Track pass redemption counts (not identities) for quota management
  • Analyze de-identified conversation and survey data to improve our flows
  • Conduct research on health decision support effectiveness
  • Detect and prevent fraud, abuse, and security incidents
  • Communicate with Partner Account holders and public guide users about their sessions

3. Automatic PII Redaction

We automatically detect and redact personally identifiable information (such as names, addresses, and phone numbers) from chat conversations before storage. This applies even when users voluntarily share such information during a conversation.

This redaction applies to chat conversation content, not to contact information you intentionally provide at the email verification step. Your verified email address is stored separately from your conversation and is not processed by our AI providers.

4. Third-Party Services

We use third-party service providers to operate Calypta Health. Different categories of providers process different categories of data:

  • Cloud infrastructure providers host the platform and store encrypted data.
  • AI service providers process chat conversations. They receive de-identified conversation content but do not receive your email address or other contact information.
  • Email delivery services send verification codes and account communications. They receive your email address but not your conversation content.
  • Payment processors handle transactions for Partner Accounts.

All providers process data on our behalf under contractual obligations to protect your information.

5. Data Retention

  • Partner Account data: Retained while your account is active and for up to 3 years after account closure for legal and audit purposes.
  • Public guide contact records: Verified email addresses and associated session metadata are retained for a limited period after the session ends. We may delete this data on a periodic basis; you may also request deletion at any time.
  • Email verification challenges: Verification codes expire within minutes. Verification records are removed after successful verification or replacement by a new code.
  • De-identified research data: Survey responses and redacted chat transcripts may be retained indefinitely for research and product improvement purposes. This data cannot be linked to any individual.
  • Security logs: IP addresses and access logs are retained for up to 90 days for security monitoring.

6. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • Encryption in transit (TLS) and at rest
  • Access controls and authentication requirements
  • Regular security assessments
  • Architectural separation between pass issuance and redemption systems
  • Browser-bound session ownership (sessions cannot be transferred by sharing a URL)

7. Cookies and Local Storage

When you start a health guide (either through a public guide or a partner-sponsored pass), we set a browser cookie to identify you as the owner of that session. This cookie:

  • Is scoped to your specific session (not shared across sessions or flows)
  • Is HttpOnly and cannot be read by other websites or scripts
  • Expires when the session ends or after 30 days
  • Is not used for advertising, analytics, or cross-site tracking

We also use browser storage to save your progress within a guide, so you can resume where you left off if you close and reopen the page. The specific storage mechanism varies by access mode but is always limited to your browser and is not shared with other sites.

8. Your Rights

All Users

You may contact us at any time to request access to, correction of, or deletion of your personal information.

Public Guide Users

Because your email address is linked to your session, we can locate and delete your contact record and associated session data on request. Contact us at privacy@calyptahealth.com with the email address you used.

Pass Recipients (Default Mode)

In default mode, flow interaction data (survey responses, chat transcripts) is not linked to any identifiable individual. Because this data cannot be connected to a specific person, we are unable to locate or delete specific records in response to individual requests. However, this also means this data cannot be used to identify you.

California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect about you
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell personal information)
  • Not be discriminated against for exercising your privacy rights

European Users (GDPR)

If you are in the European Economic Area, you have additional rights including the right to data portability, the right to restrict processing, and the right to lodge a complaint with a supervisory authority.

9. Children's Privacy

Calypta Health is intended for users who are 18 years of age or older. We do not knowingly collect personal information from children under 18.

Some of our guides address health decisions for minors. In these cases, the intended user is the parent or guardian making the decision, not the minor.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Partner Account holders of material changes by email or through the service. Your continued use of Calypta Health after changes take effect constitutes acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at:

Calypta Systems, Inc.

Email: privacy@calyptahealth.com