palmER

Privacy Policy

Effective date: May 4, 2025

Your privacy and data security are paramount. It is palmER Worldwide LLC's policy to respect your privacy and comply with applicable laws and regulations regarding any personal information we may collect through our apps, website, and related services. If you handle Protected Health Information, the Business Associate Agreement in our Terms of Service governs PHI. If there is a conflict between this Privacy Policy and the BAA with respect to PHI, the BAA controls.

Personal information is any information about you which can be used to identify you. This includes your name and email address, device identifiers, payment details, and usage data. Separately, any patient information you submit through the services may constitute Protected Health Information (PHI) as defined at 45 CFR 160.103, and it is handled under our Business Associate Agreement.

Please also review our Terms of Service. By using our services, you agree to be bound by both this Privacy Policy and our Terms of Service.

Information We Collect

We collect information in two categories: voluntarily provided and automatically collected.

Voluntarily provided is information you knowingly provide when using our services. Examples: account registration details, profile info, support requests, and content you upload or paste, including clinical text if you choose to handle PHI.

Automatically collected is information sent by your device while accessing our services. Examples: IP address, device and browser type, operating system, app version, pages and screens viewed, actions taken, timestamps, error and crash data.

Log and Device Data

When you access our services, we log technical and usage data such as IP, device type, app version, actions taken, date and time, and error details. This helps us operate, secure, and improve the services.

Device Permissions

Our apps may request access to device capabilities you choose to use. What we can access depends on your device settings and the permissions you grant.

Personal Information We May Request

We may ask for personal information — for example, when you register an account or when you contact us — which may include one or more of the following:

Legitimate Reasons for Processing

We only collect and use your personal information where we have a legal basis (for example, performance of a contract, legitimate interests, consent, or legal obligation) and only what is reasonably necessary to provide and improve the services.

How We Collect and Use Information

We may collect personal information when you:

We may collect, hold, use, and disclose information to:

We do not sell personal information. We do not sell PHI.

Our software integrates with several third party services, each with its own privacy practices. These may include OpenAI, Anthropic, Amazon Web Services, Google Cloud Platform, Supabase, Stripe, RevenueCat, Customer.io, and similar vendors for hosting, AI inference, analytics, authentication, communications, and payments. Where a provider may handle PHI for HIPAA accounts, we execute a BAA and require appropriate safeguards. A current list of infrastructure and service subprocessors is available upon request at hipaa@palm-ER.com.

We may combine voluntarily provided and automatically collected information with data from trusted sources to improve the services. For example, with your permission we may combine support emails and account data to resolve issues faster.

Use of Artificial Intelligence (AI)

Our applications use third party AI services to assist with documentation generation, language processing, and clinical workflow automation. Some outputs you receive may be generated by large language models. These models generate text based on your input and are not intended to provide individualized clinical advice.

We require zero-retention or an equivalent no-logging configuration for PHI content processed by AI providers, and we prohibit providers from using your data for model training. We do not use your data to train or fine tune any AI or machine learning models.

HIPAA Compliance and PHI

We act as a Business Associate when you transmit, store, or process PHI through our services.

Business Associate relationship: When you are a Covered Entity and use our services to handle PHI, our Business Associate Agreement, incorporated into and attached as Schedule A to the Terms of Service, governs PHI. The BAA takes effect on the earlier of your acceptance of the Terms or when we first receive, create, maintain, or transmit PHI on your behalf.

Our obligations as your Business Associate include:

Security standards: We maintain industry standard safeguards including encryption in transit using TLS 1.2 or higher, encryption at rest using AES-256, strict access controls, audit logging, and vulnerability management.

AI processing and retention: When PHI is routed to AI providers at your direction, we use providers and configurations designed to prevent retention and training. If a provider cannot meet those requirements for a given feature, we will not route PHI to that provider for that feature.

De-identification: We may de-identify PHI in accordance with 45 CFR 164.514. De-identified data is no longer PHI. We will not attempt to re-identify de-identified data or contact individuals whose information has been de-identified.

Breach notification: If we determine a breach of unsecured PHI occurred, we will notify you without unreasonable delay and no later than 30 calendar days after discovery, and provide the information required by 45 CFR 164.410(c). We will also provide an initial incident notice generally within 10 business days of discovery, consistent with our BAA.

Retention and deletion: Return, destruction, and retention of PHI are governed by the BAA. On your instruction we will return or destroy PHI, except where retention is required for management, administration, or legal obligations, in which case we will continue to safeguard PHI under the BAA.

Your responsibilities as a Covered Entity: You are responsible for obtaining any required authorizations and consents, ensuring you have a legal right to share PHI with us, and meeting your own HIPAA obligations.

Security of Your Information

We protect personal information using commercially reasonable safeguards appropriate to the data we process. No method of transmission or storage is 100 percent secure. You are responsible for maintaining the confidentiality of your credentials.

How Long We Keep Information

We retain personal information only as long as necessary to provide the services, meet legal obligations, resolve disputes, and enforce agreements. For PHI, retention is governed by the BAA. When information is no longer needed, we delete it or de-identify it consistent with applicable law.

Children’s Privacy

Our services are not directed to children under 18, and we do not knowingly collect personal information from children under 18. If you believe a child provided personal information, contact us and we will delete it. If we become aware that PHI relating to a minor has been submitted without appropriate authority, we will handle it under the BAA and applicable law.

Disclosure of Personal Information to Third Parties

We may disclose personal information to:

When we disclose PHI, we do so only as permitted under the BAA and applicable law, and bind recipients to appropriate confidentiality and security obligations.

International Transfers of Personal Information

The personal information we collect is stored and/or processed in the United States, or where we or our partners, affiliates, and third party providers maintain facilities. Protected Health Information is stored and processed only in the United States.

The countries to which we store, process, or transfer your personal information may not have the same data protection laws as the country in which you initially provided the information. If we transfer your personal information to third parties in other countries: (i) we will perform those transfers in accordance with the requirements of applicable law; and (ii) we will protect the transferred personal information in accordance with this privacy policy.

Your Rights and Controlling Your Personal Information

Your choice: By providing personal information to us, you understand we will collect, hold, use, and disclose your personal information in accordance with this privacy policy. You do not have to provide personal information to us, however, if you do not, it may affect your use of our app or the products and/or services offered on or through it.

Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this privacy policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person's consent to provide the personal information to us.

Marketing permission: If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us using the details below.

Access: You may request details of the personal information that we hold about you.

Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, please contact us using the details provided in this privacy policy. We will take reasonable steps to correct any information found to be inaccurate, incomplete, misleading, or out of date.

Non-discrimination: We will not discriminate against you for exercising any of your rights over your personal information. Unless your personal information is required to provide you with a particular service or offer (for example serving particular content to your device), we will not deny you goods or services and/or charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties, or provide you with a different level or quality of goods or services.

Notification of data breaches: We will comply with laws applicable to us in respect of any data breach.

Complaints: If you believe that we have breached a relevant data protection law and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint. You also have the right to contact a regulatory body or data protection authority in relation to your complaint.

Unsubscribe: To unsubscribe from our email database or opt-out of communications (including marketing communications), please contact us using the details provided in this privacy policy, or opt-out using the opt-out facilities provided in the communication. We may need to request specific information from you to help us confirm your identity.

Cookies

We use cookies and similar technologies to provide core functionality, remember settings, measure performance, and improve the services. You can control cookies through your browser. Some features may not function without certain cookies.

Additional Disclosures for Australian Privacy Act Compliance (AU)

International Transfers of Personal Information

Where the disclosure of your personal information is solely subject to Australian privacy laws, you acknowledge that some third parties may not be regulated by the Privacy Act and the Australian Privacy Principles in the Privacy Act. You acknowledge that if any such third party engages in any act or practice that contravenes the Australian Privacy Principles, it would not be accountable under the Privacy Act, and you will not be able to seek redress under the Privacy Act.

Additional Disclosures for General Data Protection Regulation (GDPR) Compliance (EU)

Data Controller / Data Processor

We, palmER Worldwide LLC, located at the address provided in our Contact Us section, are a Data Controller and/or Processor with respect to the personal information you provide to us.

Legal Bases for Processing Your Personal Information

We will only collect and use your personal information when we have a legal right to do so. In which case, we will collect and use your personal information lawfully, fairly, and in a transparent manner. If we seek your consent to process your personal information, and you are under 16 years of age, we will seek your parent or legal guardian's consent to process your personal information for that specific purpose.

Our lawful bases depend on the services you use and how you use them. This means we only collect and use your information on the following grounds:

Consent From You Where you give us consent to collect and use your personal information for a specific purpose. You may withdraw your consent at any time using the facilities we provide; however this will not affect any use of your information that has already taken place. When you contact us, you may consent to your name and email address being used so we can respond to your inquiry. While you may request that we delete your contact details at any time, we cannot recall any email we have already sent. If you have any further inquiries about how to withdraw your consent, please feel free to inquire using the details provided in the Contact Us section of this privacy policy.

Performance of a Contract or Transaction Where you have entered into a contract or transaction with us, or in order to take preparatory steps prior to our entering into a contract or transaction with you. For example, we need technical information about your device in order to provide the essential features of our apps.

Our Legitimate Interests Where we assess it is necessary for our legitimate interests, such as for us to provide, operate, improve and communicate our services. For example, we collect technical information about your device in order to improve and personalize your experience of our apps. We consider our legitimate interests to include research and development, understanding our audience, marketing and promoting our services, measures taken to operate our services efficiently, marketing analysis, and measures taken to protect our legal rights and interests.

Compliance with Law In some cases, we may have a legal obligation to use or keep your personal information. Such cases may include (but are not limited to) court orders, criminal investigations, government requests, and regulatory obligations. If you have any further inquiries about how we retain personal information in order to comply with the law, please feel free to inquire using the details provided in the Contact Us section of this privacy policy.

International Transfers Outside of the European Economic Area (EEA)

We will ensure that any transfer of personal information from countries in the European Economic Area (EEA) to countries outside the EEA will be protected by appropriate safeguards, for example by using standard data protection clauses approved by the European Commission, or the use of binding corporate rules or other legally accepted means.

Your Rights and Controlling Your Personal Information

Restrict: You have the right to request that we restrict the processing of your personal information if (i) you are concerned about the accuracy of your personal information; (ii) you believe your personal information has been unlawfully processed; (iii) you need us to maintain the personal information solely for the purpose of a legal claim; or (iv) we are in the process of considering your objection in relation to processing on the basis of legitimate interests.

Objecting to processing: You have the right to object to processing of your personal information that is based on our legitimate interests or public interest. If this is done, we must provide compelling legitimate grounds for the processing which overrides your interests, rights, and freedoms, in order to proceed with the processing of your personal information.

Data portability: You may have the right to request a copy of the personal information we hold about you. Where possible, we will provide this information in CSV format or other easily readable machine format. You may also have the right to request that we transfer this personal information to a third party.

Deletion: You may have a right to request that we delete the personal information we hold about you at any time, and we will take reasonable steps to delete your personal information from our current records. If you ask us to delete your personal information, we will let you know how the deletion affects your use of our apps, website or products and services. There may be exceptions to this right for specific legal reasons which, if applicable, we will set out for you in response to your request. If you terminate or delete your account, we will delete your personal information within 7 days of the deletion of your account. Please be aware that search engines and similar third parties may still retain copies of your personal information that has been made public at least once, like certain profile information and public comments, even after you have deleted the information from our services or deactivated your account.

Additional Disclosures for California Compliance (US)

Under California Civil Code Section 1798.83, if you live in California and your business relationship with us is mainly for personal, family, or household purposes, you may ask us about the information we release to other organizations for their marketing purposes.

To make such a request, please contact us using the details provided in this privacy policy with "Request for California privacy information" in the subject line. You may make this type of request once every calendar year. We will email you a list of categories of personal information we revealed to other organizations for their marketing purposes in the last calendar year, along with their names and addresses. Not all personal information shared in this way is covered by Section 1798.83 of the California Civil Code.

Do Not Track

We do not currently respond to Do Not Track (DNT) signals because there is no consistent industry standard for compliance. However, we respect user privacy and allow you to control cookies and tracking through your browser and platform preferences.

We adhere to the standards outlined in this privacy policy, ensuring we collect and process personal information lawfully, fairly, transparently, and with legitimate, legal reasons for doing so.

Cookies and Pixels

At all times, you may decline cookies from our site if your browser permits. Most browsers allow you to activate settings on your browser to refuse the setting of all or some cookies. Accordingly, your ability to limit cookies is based only on your browser's capabilities. Please refer to the Cookies section of this privacy policy for more information.

CCPA-permitted Financial Incentives

In accordance with your right to non-discrimination, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels for the goods or services we provide.

Any CCPA-permitted financial incentive we offer will reasonably relate to the value of your personal information, and we will provide written terms that describe clearly the nature of such an offer. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.

California Notice of Collection

In the past 12 months, we have collected the following categories of personal information enumerated in the California Consumer Privacy Act:

For more information on information we collect, including the sources we receive information from, review the "Information We Collect" section. We collect and use these categories of personal information for the business purposes described in the "Collection and Use of Information" section, including to provide and manage our services.

Do not sell or share. We do not sell personal information or share it for cross-context behavioral advertising as defined by the California Consumer Privacy Act, as amended by CPRA.

Right to Know and Delete

If you are a California resident, you have rights to delete your personal information we collected and know certain information about our data practices in the preceding 12 months. In particular, you have the right to request the following from us:

Shine the Light

If you are a California resident, in addition to the rights discussed above, you have the right to request information from us regarding the manner in which we share certain personal information as defined by California's "Shine the Light" with third parties and affiliates for their own direct marketing purposes.

To receive this information, send us a request using the contact details provided in this privacy policy. Requests must include "California Privacy Rights Request" in the first line of the description and include your name, street address, city, state, and ZIP code.

Business Transfers

If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, your information may be transferred as part of that transaction in compliance with applicable law and, for PHI, the BAA.

Limits of Our Policy

Our apps may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices.

Changes to This Privacy Policy

At our discretion, we may change our privacy policy to reflect updates to our business processes, current acceptable practices, or legislative or regulatory changes. Thus, you are advised to review this page for any changes. We will notify you of any changes by posting the new Privacy Policy on this page.

Contact Us

For any questions or concerns regarding your privacy and our policies, you may contact us at:

You may also reach out using the contact form on our website.