Privacy Policy

Last updated: November 26, 2025

Contents

  1. Introduction
  2. Personal data we collect
  3. How we use personal data
  4. How we share personal data
  5. Retention
  6. Security
  7. Your rights and choices
  8. Jurisdiction-specific disclosures
  9. Privacy policy changes
  10. Contacting us
SnapshotDetails
Who this coversVisitors, customers, and end users of OptimIQ websites and healthcare products
Core principlesData minimization, security by design, no general model training on PHI without explicit opt-in
Key contactsprivacy@optimiq.ushi@optimiq.us

Note: For more information about how we use data to power OptimIQ’s AI features, and your choices around model training and retention, please see our Data Use & Privacy Overview (to be published on optimiq.us).

Introduction

We at OptimIQ, LLC (“OptimIQ,” “we,” or “us”) are committed to respecting your privacy and protecting personal data, especially when it includes healthcare and claims information.

This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use:

  • Our websites, including www.optimiq.us;
  • The OptimIQ Health platform and related products, including:
    • Risk Adjustment & Value-Based Care,
    • Claims Intelligence, and
    • Post-Acute Optimization; and
  • Our APIs, dashboards, embedded AI agents, documentation, and related tools

(collectively, the “Service”).

It also describes the privacy rights that may be available to you under the laws of your country, state, or region.

By accessing or using the Service, you acknowledge that you have been informed of and consent to the practices described in this Privacy Policy, to the extent permitted by applicable law.

This Privacy Policy is different from any Notice of Privacy Practices that your healthcare provider or health plan may provide to you. OptimIQ is a B2B platform used by healthcare organizations, plans, and vendors, not a direct-to-patient service.

When this Privacy Policy does not apply (B2B / HIPAA customers)

In many cases, OptimIQ provides the Service to healthcare organizations, health plans, and vendors (our “Customers”) who use it to process Protected Health Information (“PHI”) and other data about their patients or members. In those cases:

  • The Customer is typically the data controller (under GDPR/UK GDPR) or covered entity / business associate (under HIPAA); and
  • OptimIQ acts as a data processor / business associate, processing PHI and other personal data only as instructed by the Customer and as permitted in the Business Associate Agreement (BAA) or data processing agreement.

Where OptimIQ acts as a processor / business associate, our use of personal data is governed primarily by those contracts and applicable law. This Privacy Policy mainly describes how we handle personal data when we act as a controller (for example, for our website visitors, marketing contacts, and self-service accounts).

1. Personal data we collect

A. Personal data you provide directly

We collect personal data when you interact with us, create an account, or use the Service. Examples include:

Account & organization information

  • Name, email address, and phone number
  • Job title, role, and organization details
  • Account credentials (e.g., username, hashed password)

Patient / member / clinical / claims data (for B2B Customers)

When Customers use the Service for risk adjustment, value-based care, RPM/vitals, post-acute optimization, or claims workflows, we may process personal data and PHI they submit, such as:

  • Demographics (e.g., age, sex, member ID, internal patient ID)
  • Claims history, service dates, CPT/HCPCS/ICD/HCC codes
  • Clinical notes or summaries, vitals, labs, and other documentation
  • Payer data, eligibility, and benefits information
  • Provider, facility, and network information

We process this data only to provide the Service to the Customer and in accordance with the BAA or data processing agreement.

Billing & payment information

  • Billing contact details
  • Subscription details
  • Limited payment method details (for example, billing address and payment tokens handled via a third-party payment processor; OptimIQ does not store full card numbers)

Inputs & Outputs (AI and analytics interactions)

The Service may allow authorized users to submit prompts, questions, documents, configuration settings, and other information (“Inputs”) and receive AI-generated or analytic results (“Outputs”). Inputs and Outputs may contain personal data and PHI if you or your organization choose to include it.

Examples:

  • Asking an embedded AI agent to summarize a chart or visit history
  • Running analytics on a population of claims or risk-adjustment cohorts
  • Generating suggested worklists for care gaps, HCC gaps, or post-acute follow-up

Support & communication data

  • Information you provide when you contact us (for example, via email or support tickets)
  • Content of messages, meeting notes, and attachments
  • Information shared during implementation, onboarding, or training sessions

Feedback

If you provide feedback, feature requests, or rate Outputs (e.g., thumbs up/down, comments on AI responses), we may store that feedback and associated context (including relevant Inputs/Outputs) to improve the Service and our models, consistent with your contract and settings.

B. Personal data we collect automatically

When you use the Service, we and our service providers automatically collect certain technical information:

Device & browser information

  • Device type, operating system, browser type, language, and version
  • Settings and configurations used to access the Service

Log information

  • IP address and approximate location (derived from IP)
  • Timestamps of access and session identifiers
  • Error logs and diagnostic information
  • Events related to login, security, and configuration changes

Usage data

  • Pages visited, modules and features used (e.g., Risk Adjustment dashboards, Claims review queues)
  • Search queries, filters applied, and configuration choices
  • Performance metrics, response times, and general usage patterns

Cookies & similar technologies

We use cookies, pixels, and similar technologies to:

  • Operate and secure the Service
  • Remember your preferences and session state
  • Analyze usage and performance
  • Support basic product analytics and service improvement (not for cross-context behavioral advertising)

For more details, see our Cookie Notice (to be published).

C. Sensitive health information and PHI

Unlike many generic AI tools, OptimIQ is specifically built for healthcare, risk adjustment, and claims. This means we may process highly sensitive data, including PHI, when Customers use the Service as part of their clinical, risk, and revenue cycle operations.

When we process PHI, we do so:

  • Only as a business associate / processor on behalf of the Customer;
  • Under a HIPAA-compliant BAA and any applicable data processing agreement; and
  • In accordance with Customer instructions and applicable law.

We do not use PHI for our own independent advertising or unrelated marketing, and we do not sell PHI.

D. Information we do not knowingly collect

We do not knowingly:

  • Collect personal data directly from children under 18. The Service is designed for professional and organizational users (health systems, providers, plans, vendors), not for minors or direct patient sign-up.
  • Offer consumer-facing medical care, diagnosis, or treatment. We provide tools to professional organizations, not patient-facing medical advice.

If we learn that we have collected personal data from a child under 18 without appropriate authorization, we will take steps to delete that data or work with the applicable Customer to remediate it.

2. How we use personal data

We use personal data for the following purposes, to the extent permitted by law and our agreements with Customers:

  1. To provide and maintain the Service

    • Operating the OptimIQ Health platform and modules
    • Generating risk scores, RAF-impact analytics, care-gap flags, and other Insights
    • Supporting claims review, payment integrity checks, and post-acute optimization
    • Providing dashboards, reports, and worklists to authorized users

  2. To create and manage accounts

    • Setting up and administering user and organization accounts
    • Managing roles, permissions, and single sign-on integrations
    • Managing tenant-level configuration (e.g., product enablement, locales, and settings)

  3. To process payments and billing

    • Managing subscriptions, invoices, and payments
    • Handling billing questions, charge disputes, and account changes

  4. To improve and develop the Service

    • Debugging issues and resolving errors
    • Analyzing feature usage to prioritize roadmap and usability improvements
    • Research and development to improve model quality, safety, and accuracy
    • Improving workflows for risk adjustment, value-based care, claims, and post-acute programs

  5. AI model training and evaluation

    • We do not use PHI or Customer-identifiable data to train general-purpose models that are shared across customers, unless:
      • you have explicitly agreed or opted in via your contract or admin settings, or
      • we must review specific data (including Inputs/Outputs) to investigate security, abuse, or compliance issues.
    • We may use de-identified or aggregated data for training, evaluation, and benchmarking, provided it does not identify you, your organization, or any individual.

  6. To communicate with you

    • Responding to support requests and implementation questions
    • Sending operational notices (e.g., security alerts, downtime, changes to terms)
    • Sending optional product updates, event invitations, or marketing (where permitted; you can opt out at any time)

  7. To protect security, prevent abuse, and ensure compliance

    • Detecting and responding to fraud, misuse, or unauthorized access
    • Monitoring for suspicious or anomalous activity within the platform
    • Enforcing our Terms of Service, BAA, and other agreements

  8. To comply with legal obligations

    • Meeting regulatory and audit requirements (e.g., HIPAA, state privacy laws, financial recordkeeping)
    • Responding to lawful requests, court orders, and legal processes

  9. To protect rights and safety

    • Protecting the rights, privacy, safety, or property of users, patients, OptimIQ, and third parties
    • Investigating and resolving disputes, incidents, or legal claims

We may aggregate or de-identify personal data so that it no longer identifies an individual. We may use and share such de-identified information for any lawful purpose, and we will not attempt to re-identify it except as required by law.

3. How we share personal data

We may disclose personal data in the following circumstances:

Service providers and subprocessors

We engage third-party vendors to help us deliver, secure, and support the Service, including:

  • Cloud hosting and infrastructure
  • Databases, storage, and backups
  • Security and monitoring tools
  • Email, SMS, and push notification services
  • Payment processors
  • Analytics and logging services
  • AI model providers and inference infrastructure (e.g., for running OptimIQ AI features)

These providers process personal data only on our instructions, under appropriate contracts, and are required to implement suitable security measures. Where we act as a HIPAA business associate, we also ensure they are bound by sub-BAAs or equivalent obligations, as required by law.

Business transfers

If OptimIQ is involved in a merger, acquisition, restructuring, financing, or sale of all or part of our business, personal data may be disclosed to advisors and counterparties as part of due diligence and may be transferred as part of the transaction in accordance with applicable law.

We may disclose personal data to courts, regulators, law enforcement, or other parties when we believe it is necessary to:

  • Comply with applicable laws, regulations, or legal processes;
  • Respond to lawful requests or investigations;
  • Protect the rights, safety, or property of OptimIQ, users, patients, or others; or
  • Detect, prevent, or address security, fraud, or technical issues.

Affiliates

We may share personal data with OptimIQ affiliates (entities under common ownership or control) for purposes consistent with this Privacy Policy.

Third-party services and integrations

The Service may integrate with third-party systems (for example, EHRs, practice management systems, claims clearinghouses, payor portals, or identity providers). When you connect or enable such services:

  • We may share data with those services at your direction; and
  • Their use of personal data is governed by their own privacy policies and terms, not ours.

Customer account administrators

If you use the Service under an organization account (for example, your employer, health system, or plan), account administrators may access information about your usage and configuration and may manage or restrict your access.

Other users or parties you choose to share with

Certain features allow you to share dashboards, reports, or Outputs with other users or external recipients (for example, exporting reports or sending worklists). Any information you voluntarily share in this way will be available to those recipients under their own terms and privacy practices.

We may share personal data with third parties when you give us explicit permission to do so (for example, participating in a case study, joint pilot, or integration with a partner).

4. Retention

We retain personal data only for as long as reasonably necessary to:

  • Provide and maintain the Service;
  • Fulfill the purposes described in this Privacy Policy;
  • Comply with legal, regulatory, and audit requirements (including HIPAA and other healthcare-related retention requirements, where applicable); and
  • Resolve disputes and enforce our agreements.

Retention periods depend on:

  • The type of data;
  • The sensitivity of the data (for example, PHI versus basic account info);
  • The context in which it was collected; and
  • Our legal or contractual obligations.

Where we process PHI as a business associate, retention and deletion are governed primarily by the BAA and Customer instructions. After applicable retention periods, we will delete, de-identify, or anonymize personal data in accordance with our policies and applicable law.

5. Security

We implement technical and organizational safeguards designed to protect personal data against unauthorized access, use, disclosure, alteration, or destruction. These safeguards include:

  • Encryption of data in transit (e.g., TLS 1.2+ over HTTPS) and at rest (e.g., AES-256 or comparable standards), where appropriate;
  • Access controls based on least privilege and role-based permissions;
  • Multi-factor authentication for administrative access (and, where supported, for customer accounts);
  • Network and infrastructure security measures, including logging and monitoring;
  • Policies, training, and procedures aligned with HIPAA security requirements and other applicable regulations.

However, no security measures are perfect. We cannot guarantee absolute security, and you should use care when deciding what information to submit to the Service.

Where we act as a business associate / processor, we further commit to implementing safeguards consistent with our BAAs and applicable law.

6. Your rights and choices

Depending on where you live and how we interact with you, you may have certain rights in relation to your personal data, such as:

  • Right to know / access – You can request information about the personal data we hold about you and how we use it.
  • Right to correction – You can request that we correct inaccurate or incomplete personal data.
  • Right to deletion – You can request deletion of personal data, subject to legal and contractual obligations (for example, retention needed for audit, safety, or regulatory compliance).
  • Right to portability – In some cases, you can request a copy of personal data in a portable format.
  • Right to object / restrict – You may have the right to object to or restrict certain processing, particularly where we rely on legitimate interests.
  • Right to withdraw consent – Where we process personal data based on your consent, you can withdraw that consent at any time (without affecting the lawfulness of processing before withdrawal).

To exercise these rights, you (or your authorized agent) can contact us at privacy@optimiq.us or hi@optimiq.us. We may take reasonable steps to verify your identity before responding. If we deny your request, you may have the right to appeal by replying to our response.

When we process personal data as a processor / business associate for a Customer, we may redirect your request to that Customer or act only on their instructions, as required by law and our agreements.

Marketing communications

You can opt out of marketing emails at any time by using the unsubscribe link in the email or contacting us. You will still receive essential Service-related communications (for example, security, billing, and legal notices).

Cookies and analytics

Most browsers let you control or block cookies and similar technologies. If you disable certain cookies, parts of the Service may not function properly. Where required by law, we will seek your consent for non-essential cookies or provide opt-out options.

No sale or targeted advertising

We do not:

  • Sell personal data as “sale” is defined under certain privacy laws (for example, CCPA/CPRA); or
  • Share personal data with third parties for cross-context behavioral advertising or similar targeted advertising that tracks you across unrelated websites or apps.

We primarily use personal data to operate the Service and for security, analytics, and product improvement.

Automated decision-making

OptimIQ does not make decisions about you as an individual that have legal or similarly significant effects based solely on automated processing without meaningful human involvement. Our AI features are decision-support tools for clinical, coding, and operational users, not automated adjudication or clinical decision-making engines.

7. Jurisdiction-specific disclosures

Certain jurisdictions require us to provide additional information about our legal bases and processing.

When we act as a controller for individuals in the European Economic Area (EEA) or UK, we process personal data on one or more of the following legal bases:

  • Contract – To provide the Service and fulfill our agreements with you or your organization.
  • Legitimate interests – To operate, improve, secure, and promote the Service in a way that is proportionate and respects your rights.
  • Legal obligation – To comply with applicable laws, regulations, and legal processes.
  • Consent – Where required by law (for example, certain marketing communications or non-essential cookies).

Summary table

PurposeTypes of dataLegal basis (EEA/UK)
Provide and maintain the Service (accounts, dashboards, analytics features)Identity and contact data; account data; Inputs & Outputs; technical dataContract; Legitimate interests (service operation and improvement)
Provide healthcare/claims functionality to enterprise Customers (including PHI)Patient/member data; claims and clinical data; Inputs & OutputsContract with Customer; Legal obligation (health/privacy laws, where applicable)
Communicate with you (support, updates)Identity and contact data; communication data; technical dataContract (service communications); Legitimate interests (user engagement and support); Consent (where required for marketing)
Process payments and billingIdentity and contact data; payment dataContract; Legal obligation (tax/finance laws)
Security, fraud detection, and abuse preventionIdentity and contact data; technical data; usage data; limited Inputs/Outputs (for abuse review)Legitimate interests; Legal obligation
Research, analytics, and product improvement (excluding PHI-based general model training)Technical data; usage data; de-identified or aggregated data; FeedbackLegitimate interests (improving Service and models)
Model training / evaluation using non-PHI or de-identified dataFeedback, Inputs/Outputs (where allowed), de-identified or aggregated dataLegitimate interests; Consent (where applicable/admin-configured)
Compliance and legal requestsAny relevant categoriesLegal obligation; Legitimate interests

International data transfers

We are based in the United States, and we may process personal data on servers in the US and other countries. When we transfer personal data from the EEA, UK, or other regions with data transfer restrictions, we do so:

  • On the basis of adequacy decisions, where applicable; or
  • Using standard contractual clauses or other approved transfer mechanisms, combined with appropriate safeguards, as required by law.

Regardless of where data is processed, we apply the protections described in this Privacy Policy and our contractual commitments.

8. Privacy policy changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we do:

  • We will update the “Last updated” date at the top of this page; and
  • Where required by law or where changes are material, we will provide additional notice (for example, via email or in-product notifications).

Your continued use of the Service after the updated Privacy Policy becomes effective will signify your acceptance of the changes. If you do not agree to the updated policy, you should stop using the Service.

9. Contacting us

If you have questions, concerns, or requests about this Privacy Policy or our privacy practices, you can contact us at:

Privacy & general inquiries

Support