Privacy Policy

Patient treatment records: Practice staff enter or import patient treatment records into Clinivore, including patient identifiers, treatment protocols, appointment history, and outreach notes. This information constitutes Protected Health Information (PHI) under HIPAA when entered by a covered entity.

Staff account information: We collect name, email address, and role designation for each practice staff member with an Clinivore account.

Usage and audit logs: We log all actions taken within the platform, including patient record access, outreach task completion, AI draft generation, and administrative changes. These logs are used for HIPAA compliance, security monitoring, and service improvement.

No direct patient collection: Clinivore is a staff-facing tool. Patients do not create accounts, submit forms, or interact with Clinivore directly. All patient data is entered by authorized practice staff.

We use the information we collect to:

• Operate and deliver the treatment tracking service
• Generate AI-assisted documentation drafts when authorized by the practice
• Maintain an append-only audit log for HIPAA compliance
• Improve the service through aggregate, de-identified usage analytics
• Respond to support requests and practice inquiries

We do not sell, rent, or share PHI with third parties for marketing purposes. We do not use patient treatment records for advertising.

Clinivore operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) when handling PHI on behalf of a covered entity. Prior to accessing or processing PHI, Clinivore enters into a Business Associate Agreement (BAA) with the covered entity.

PHI within Clinivore is handled in accordance with the HIPAA Security Rule, including administrative, physical, and technical safeguards. Practices remain responsible for workforce training and access control under the HIPAA Privacy Rule.

42 CFR Part 2: For practices treating substance use disorders, Clinivore is designed with 42 CFR Part 2 protections in mind. Substance use disorder treatment records require patient consent prior to disclosure and are handled through staff-guided workflows, not automated processes.

Clinivore's AI documentation assistant uses the Anthropic Claude API to generate call scripts, chart notes, and outreach drafts.

PHI and AI: By default (ALLOW_PHI_TO_AI=false), PHI is not transmitted to AI services. In this default mode, AI drafts are generated using non-identifying patient context only. PHI may be included in AI requests only when the practice has explicitly enabled this feature under a BAA-covered configuration.

All AI draft generation events are logged in the audit trail, including whether PHI was present in the AI request context.

Treatment records, outreach logs, and patient data are retained for the duration of the practice's subscription plus any wind-down period specified in the service contract.

Audit logs are retained for a minimum of six (6) years in accordance with HIPAA record retention requirements.

Practices may request deletion of their data by contacting us at privacy@clinivore.app. Deletion requests will be honored within 30 days, subject to applicable legal retention obligations.

Clinivore employs industry-standard technical safeguards to protect the information we process:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for data at rest
• Role-based access control (Admin / Provider / Staff)
• Append-only audit trail for all PHI access events
• Automatic session timeout
• Infrastructure hosted in the United States (AWS / Railway)

No security system is perfect. In the event of a data breach involving PHI, we will notify affected covered entities in accordance with the HIPAA Breach Notification Rule.

For privacy-related inquiries, data deletion requests, or Business Associate Agreement requests, contact:

Email: privacy@clinivore.app

General inquiries: hello@clinivore.app