Privacy Policy

Last updated: December 12, 2025

Calypta Systems, Inc. ("Calypta," "we," "us," or "our") operates the Calypta Health platform. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our website and services.

1. Information We Collect

Partner Accounts

When you create an account to share Calypta flows with patients or members ("Partner Account"), we collect:

  • Your name and work email address
  • Your professional role
  • Health topics you're interested in
  • Login timestamps and IP addresses (for security purposes)

Pass Recipients (Default Mode)

By default, when someone uses a Calypta pass to access a flow, we do not collect personally identifying information. We cannot determine who redeemed a particular pass. We do collect:

  • Survey responses (anonymous, not linked to any individual)
  • Chat conversation content (de-identified, with PII automatically redacted)
  • Session metadata (timestamps, flow completion status)

We do not use cookies for pass recipients. Session continuity is maintained through a URL-based token that we store only in hashed (irreversible) form. This means we cannot reconstruct the connection between a pass and its recipient.

Pass Recipients (Enterprise Mode)

Some organizations choose to operate in enterprise mode under a Business Associate Agreement. In this mode, with recipient consent, we may additionally collect:

  • Information linking a pass to a specific recipient
  • Full conversation transcripts (without PII redaction)
  • Additional identifiers provided by the sponsoring organization

Enterprise mode data is handled in accordance with HIPAA requirements and the terms of our Business Associate Agreement with the sponsoring organization. Recipients may opt out of data sharing even in enterprise mode.

Website Visitors

When you visit our marketing website, we may collect basic analytics data (pages viewed, referral source) to improve our services.

2. How We Use Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Authenticate Partner Account holders
  • Track pass redemption counts (not identities) for quota management
  • Analyze de-identified conversation and survey data to improve our flows
  • Conduct research on health decision support effectiveness
  • Detect and prevent fraud, abuse, and security incidents
  • Communicate with Partner Account holders about their accounts

3. Automatic PII Redaction

In default mode, we automatically detect and redact personally identifiable information (such as names, addresses, and phone numbers) from chat conversations before storage. This applies even when users voluntarily share such information.

4. Third-Party Services

We use third-party service providers to operate Calypta Health, including cloud infrastructure providers, AI service providers, email delivery services, and payment processors. These providers process data on our behalf under contractual obligations to protect your information.

5. Data Retention

  • Partner Account data: Retained while your account is active and for up to 3 years after account closure for legal and audit purposes.
  • De-identified research data: Survey responses and redacted chat transcripts may be retained indefinitely for research and product improvement purposes. This data cannot be linked to any individual.
  • Security logs: IP addresses and access logs are retained for up to 90 days for security monitoring.

6. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • Encryption in transit (TLS) and at rest
  • Access controls and authentication requirements
  • Regular security assessments
  • Architectural separation between pass issuance and redemption systems

7. Your Rights

All Users

You may contact us at any time to request access to, correction of, or deletion of your personal information.

California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect about you
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell personal information)
  • Not be discriminated against for exercising your privacy rights

European Users (GDPR)

If you are in the European Economic Area, you have additional rights including the right to data portability, the right to restrict processing, and the right to lodge a complaint with a supervisory authority.

Note for Pass Recipients (Default Mode)

In default mode, flow interaction data (survey responses, chat transcripts) is not linked to any identifiable individual. Because this data cannot be connected to a specific person, we are unable to locate or delete specific records in response to individual requests. However, this also means this data cannot be used to identify you.

8. Children's Privacy

Calypta Health is intended for users who are 18 years of age or older. We do not knowingly collect personal information from children under 18.

Some of our flows address health decisions for minors. In these cases, the user is the parent or guardian making the decision, not the minor.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Partner Account holders of material changes by email or through the service. Your continued use of Calypta Health after changes take effect constitutes acceptance of the revised policy.

10. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at:

Calypta Systems, Inc.

Email: privacy@calyptahealth.com