Privacy practices for a healthcare AI workflow platform.

This Privacy Policy explains how CouncilAI (“CouncilAI,” “Council,” “we,” “our,” or “us”) collects, uses, discloses, and protects information when you access or use the CouncilAI web application, APIs, integrations, document-processing tools, support channels, and related services (collectively, the “Service”).

CouncilAI is designed for healthcare organizations and professionals. Depending on how your organization uses the Service, we may act as a service provider, processor, or business associate to your organization, and your organization may be the party primarily responsible for deciding what information is submitted to the Service.

If your organization has a separate order form, business associate agreement, data processing agreement, or other written contract with CouncilAI, that agreement controls if it conflicts with this Privacy Policy.

We collect information directly from users and organizations, automatically from devices and browsers, and from service providers and integrations that support the Service.

We use information we collect to:

• Provide, operate, maintain, and improve the Service and its healthcare workflow features.
• Authenticate users, enforce role-based permissions, and manage account provisioning and approval flows.
• Process prompts, documents, templates, search queries, and retrieval-augmented generation requests at the direction of users and organizations.
• Monitor performance, investigate incidents, detect misuse, and maintain system integrity and audit trails.
• Communicate with customers about service updates, support requests, security notices, and account administration.
• Manage contracts, invoices, usage reporting, and other commercial operations.
• Comply with legal obligations, resolve disputes, and enforce our agreements and policies.
• Create aggregated or de-identified analytics where permitted by law and contract and where the data no longer reasonably identifies an individual.

CouncilAI uses large language model, document processing, retrieval, and search workflows to respond to user requests. To do that, the Service may temporarily or persistently process prompts, uploaded files, template content, extracted text, metadata, embeddings, citations, and generated outputs.

Depending on configuration, documents may be segmented, embedded, indexed, stored in organization-scoped or conversation-scoped stores, and later retrieved to support search, summarization, drafting, or question-answering.

• Users and organizations are responsible for choosing what content to upload or submit.
• Generated output may reflect the inputs provided, configured models, and retrieved source material.
• AI-generated content can be incomplete or inaccurate and should be reviewed by qualified personnel before clinical, operational, or compliance use.

The Service may be used by covered entities, business associates, clinicians, and healthcare staff. If you submit protected health information or other regulated data, you represent that you have the legal authority and contractual basis to do so.

• Your organization remains responsible for patient notices, consents, minimum necessary determinations, and other legal obligations that apply to the data it chooses to submit.
• Where applicable, a separate business associate agreement, data processing agreement, or similar contract governs additional privacy and security commitments for regulated data.
• The Service is not intended for direct-to-consumer patient emergency communications or automated clinical decision-making without human review.

We may disclose information in the following circumstances:

• To your organization, its administrators, and authorized users based on the permissions and workflows your organization enables.
• To vendors and subprocessors that help us provide hosting, authentication, storage, analytics, monitoring, communications, payment processing, and AI-related functionality.
• To third-party integrations or downstream systems when you or your organization configure or authorize those connections.
• To comply with law, regulation, legal process, government requests, or to protect rights, safety, security, or property.
• As part of a merger, acquisition, financing, reorganization, or asset sale, subject to appropriate confidentiality protections.
• With your consent or at your direction.

We expect our vendors to handle information only for authorized business purposes and subject to reasonable confidentiality and security obligations.

We use cookies, local storage, and similar technologies to operate the Service and remember user preferences. These technologies may support authentication, session continuity, security controls, interface preferences, and measurement of service usage and reliability.

• Essential cookies and tokens may be required for sign-in, session management, and access control.
• Local preferences may store settings such as theme or accessibility choices.
• Security and operational telemetry may capture event logs, request metadata, and usage diagnostics.

You can control some browser storage through your device or browser settings, but disabling certain technologies may limit the functionality of the Service.

We retain information for as long as reasonably necessary to provide the Service, honor customer instructions, comply with legal and contractual obligations, maintain audit and security records, resolve disputes, and enforce our agreements.

• Customer content may remain available until deleted by the customer, removed under retention settings, or deleted at the end of the contractual relationship.
• Audit, fraud-prevention, and security logs may be kept longer where needed for compliance, incident response, or legal obligations.
• Backups and archived copies may persist for a limited period before they are overwritten or deleted.

We maintain administrative, technical, and physical safeguards designed to protect information against unauthorized access, use, alteration, and disclosure. These measures may include encryption in transit, access controls, session management, role-based permissions, audit logging, environment segregation, and monitoring for suspicious activity.

No security program can eliminate all risk. You are responsible for safeguarding your devices, credentials, and any local copies of information exported from the Service.

Depending on your relationship with CouncilAI and the laws that apply, you may have the right to request access to, correction of, deletion of, export of, or restriction of certain personal information.

• If your account is provided through a healthcare organization or employer, start by contacting your organization administrator or privacy office because that organization may control the account and submitted data.
• We may request information needed to verify your identity and authority before processing a request.
• We may decline or limit requests where required or permitted by law, contract, security obligations, or the rights of others.

CouncilAI may use service providers or infrastructure in the United States and other countries. If information is transferred across borders, we take steps designed to ensure the transfer is subject to appropriate safeguards consistent with applicable law and contractual commitments.

The Service is intended for professional and organizational use, not for children. We do not knowingly offer the Service directly to children or knowingly collect personal information from children for consumer use of the Service.

We may update this Privacy Policy from time to time. When we do, we will post the updated version on this page and update the effective date above. If changes are material, we may also provide additional notice, such as within the Service, by email, or through your organization administrator.

For privacy questions, data requests, or complaints, contact your designated CouncilAI support contact or organization administrator. If you use CouncilAI through a healthcare organization, you should generally contact your organization administrator, privacy office, or designated support channel first.