Legal
Privacy Policy
Last updated: May 15, 2026
ClarityMed ("we", "us", or "our") operates claritymed.io and related services. This Privacy Policy explains what information we collect, why we collect it, and how we use it. We keep this plain-language — no legal maze.
1. What We Collect
Account Information
When you create a ClarityMed account we collect your name, email address, organization name, and a hashed password. If you sign in via Google or another OAuth provider, we receive your name and email from that provider.
Website URLs You Submit
When you run an analysis, you provide a publicly accessible website URL. We scrape the public-facing pages of that website — the same content any browser visitor would see. We do not access, and have no ability to access, password-protected patient portals, EHR systems, or any non-public pages.
Scraped Content
We temporarily store the text content, metadata, and technical signals extracted from the public pages we analyze. This data is used solely to generate your audit report and website proposal. Scraped content is associated with your account and subject to the retention policy below.
Billing Information
Payments are processed by Stripe. We never see or store your full credit card number. We receive a payment token, last four digits, card type, and billing address from Stripe for record-keeping.
Usage Data
We collect standard server logs including IP addresses, browser type, pages visited, and timestamps. We use this data to operate and improve the service, diagnose errors, and prevent abuse. We do not sell or share this data with third-party advertisers.
Cookies and Local Storage
We use strictly necessary cookies to maintain your authenticated session. We do not use advertising cookies or third-party tracking pixels. If you use our public-facing audit scanner, a session token is stored in your browser to track your analysis request.
2. What We Do NOT Collect
- Protected Health Information (PHI). ClarityMed only analyzes public website content. We have no access to patient records, appointment systems, billing systems, or any data governed by HIPAA.
- Patient data of any kind. The contact forms we analyze are the practice's public contact pages — not their patient management systems.
- Data from private or gated pages. Our scraper identifies and skips login-protected paths. If a page requires authentication, we skip it.
3. How We Use Your Information
- Provide the service. Run website audits, generate AI analysis reports, produce website proposals, and host generated websites on your behalf.
- Transactional emails. Send audit completion notifications, invoice receipts, and service alerts. We do not send marketing emails without your explicit opt-in.
- Customer support. Diagnose errors and respond to support requests.
- Service improvement. Analyze aggregate usage patterns (never individual scrape content) to improve our AI models and platform features.
- Legal obligations. Comply with applicable law, respond to lawful government requests, and enforce our Terms of Service.
4. AI Processing
Website content you submit for analysis is sent to Anthropic's Claude API to generate audit reports. Anthropic may retain API inputs for safety monitoring per their usage policies, but does not use your submitted content to train their models without opt-in consent. You can review Anthropic's privacy practices at anthropic.com/privacy.
We instruct the AI to analyze only the website content you submitted and to not make assumptions or invent information about the practice or its patients.
5. Third-Party Services
We rely on the following sub-processors to operate ClarityMed:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Database & authentication | Account data, scraped content, analysis results |
| Anthropic | AI analysis engine | Scraped website text content |
| Vercel | Hosting & CDN | Server logs, IP addresses |
| Stripe | Payment processing | Name, email, billing address |
| Resend | Transactional email | Name, email address |
All sub-processors are contractually bound to use your data only to provide the contracted service and not for their own commercial purposes.
6. Data Retention
- Account data is retained for the life of your account plus 90 days after cancellation.
- Scraped page content is retained for 12 months from the analysis date, then permanently deleted.
- Generated websites remain accessible for the duration of your subscription. On cancellation, generated site data is retained for 30 days to allow export, then deleted.
- Billing records are retained for 7 years as required by financial regulations.
- Server logs are retained for 90 days.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access. Request a copy of the personal data we hold about you.
- Correction. Request correction of inaccurate data.
- Deletion. Request deletion of your account and associated personal data (subject to legal retention obligations).
- Portability. Request an export of your analysis results and generated content.
- Objection. Object to processing your data for certain purposes.
To exercise any of these rights, email hello@claritymed.io. We will respond within 30 days.
8. Data Security
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access to production databases is restricted to authorized personnel and requires multi-factor authentication. We conduct regular security reviews. No system is perfectly secure, and we cannot guarantee absolute security, but we take commercially reasonable precautions.
If we discover a data breach that affects your personal data, we will notify you within 72 hours of becoming aware of it (as required by GDPR Article 33 where applicable).
9. HIPAA Notice
ClarityMed is not a HIPAA Business Associate.
ClarityMed analyzes only publicly accessible website content. We do not receive, process, transmit, or store Protected Health Information (PHI) as defined by HIPAA. The generated websites we produce use HIPAA-compliant third-party contact form providers — patient inquiries submitted through those forms are not routed through or stored on ClarityMed infrastructure. If your use case requires a Business Associate Agreement (BAA), ClarityMed is not the appropriate vendor for that scope of work.
10. Children's Privacy
ClarityMed is a business-to-business service. We do not knowingly collect personal information from individuals under the age of 18. If you believe a minor has submitted information to us, contact us immediately at hello@claritymed.io.
11. Changes to This Policy
We may update this policy as the service evolves. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Continued use of the service after changes take effect constitutes your acceptance of the revised policy.
12. Contact
Questions about this policy or your data? Email us at hello@claritymed.io. We aim to respond within 2 business days.