Privacy Policy

1. Introduction

Feather AI, Inc. ("Feather AI," "we," "us," or "our") is committed to protecting the privacy and security of the information entrusted to us by our users, particularly Protected Health Information (PHI). This Privacy Policy explains how Feather AI collects, uses, discloses, and protects information when you access and use our HIPAA-compliant ChatGPT product and related services (the "Service").

Please read this Privacy Policy carefully. By using the Service, you acknowledge and agree to the practices described in this Privacy Policy. This Privacy Policy is incorporated into our Terms and Conditions of Service.

2. Scope of this Privacy Policy and HIPAA

This Privacy Policy addresses two main categories of information:

• Non-PHI (General User Data): Information that does not constitute Protected Health Information under HIPAA, such as your contact details, billing information, and usage data not linked to PHI.
• Protected Health Information (PHI): Information that Feather AI creates, receives, maintains, or transmits on behalf of healthcare professionals (who are often Covered Entities or Business Associates under HIPAA). The handling of PHI is governed by our Business Associate Agreement (BAA), which is incorporated into our Terms and Conditions of Service. This Privacy Policy supplements, but does not supersede, the terms of the BAA with respect to PHI.

As a Business Associate under HIPAA, Feather AI's use and disclosure of PHI is strictly limited by the BAA and applicable HIPAA regulations.

3. Information We Collect

We collect various types of information from and about users of our Service, including:

A. Information You Provide to Us (Non-PHI):

• Account Registration Information: When you create an account, we collect information such as your name, email address, organization name (e.g., clinic, hospital), professional role, and contact phone number.
• Billing and Payment Information: If you subscribe to a paid plan, we collect billing details, such as credit card number, expiration date, and billing address. This information is processed by secure third-party payment processors, and we do not store full payment card details on our servers.
• Communications: Records and copies of your correspondence with us (e.g., when you contact customer support), including any information you provide in surveys or feedback forms.
• Other Information: Any other information you voluntarily provide to us that does not constitute PHI.

B. Information You Provide to Us (PHI):

• User Inputs: When you use the Feather AI ChatGPT product, you may input or generate text, data, audio, video, or other content that contains Protected Health Information (PHI) of your patients or clients. This PHI is provided by you as a Covered Entity or Business Associate and is handled by Feather AI solely in its capacity as your Business Associate, subject to the strict terms of the Business Associate Agreement.
• Purpose of PHI Input: You are solely responsible for ensuring that any PHI you input into the Service is done so in compliance with HIPAA and other applicable laws and regulations, and for a legitimate healthcare purpose.

C. Information We Collect Automatically (Primarily Non-PHI):

• Usage Details: Details of your access to and use of the Service, including traffic data, logs, and other communication data, and the resources that you access and use on or through the Service (e.g., features used, session duration, frequency of use).
• Device Information: Information about your computer or mobile device and internet connection, including your IP address, operating system, browser type, and device identifiers.
• Cookies and Tracking Technologies: We use cookies and similar technologies (e.g., web beacons) to:
  • Authenticate your session and maintain your login.
  • Understand how you use the Service to improve its functionality.
  • Remember your preferences.
  • Analyze trends and manage the Service.

Note on PHI and Cookies: We do NOT use cookies or similar tracking technologies to collect or track PHI. Any data collected via these technologies is generally non-PHI and used for service improvement, security, and analytics.

4. How We Use the Information We Collect

A. Use of Non-PHI (General User Data):

We use the non-PHI information we collect for the following purposes:

• To provide, operate, and maintain the Service.
• To create, manage, and secure your account.
• To process your payments and manage your subscriptions.
• To send you technical notices, updates, security alerts, and support messages.
• To personalize your experience and deliver relevant content.
• To monitor and analyze trends, usage, and activities in connection with our Service.
• To improve, develop, and test new features and functionalities of the Service.
• To detect, prevent, and address technical issues, fraud, and security vulnerabilities.
• To enforce our Terms and Conditions of Service.
• To comply with legal obligations.

B. Use of PHI:

• As a Business Associate, Feather AI uses and discloses PHI strictly in accordance with the Business Associate Agreement (Section 11 of our Terms and Conditions of Service) and applicable HIPAA regulations.
• Our primary use of PHI is to perform the functions and services for which you, the healthcare professional, engage Feather AI – specifically, to enable the core functionality of the ChatGPT product and its related features you utilize within the Service.
• Feather AI does NOT use PHI for marketing purposes.
• Feather AI does NOT use PHI to train or improve the underlying large language models (LLMs) in a manner that would constitute a "use" or "disclosure" under HIPAA for purposes other than performing the services for your Covered Entity. Our systems are designed to ensure that PHI is isolated and handled in a compliant manner as defined by the BAA.

5. How We Share and Disclose Information

A. Disclosure of Non-PHI:

We may share non-PHI with:

• Service Providers: Third-party vendors and service providers who perform services on our behalf (e.g., payment processing, cloud hosting, analytics, customer support). These providers are contractually bound to keep non-PHI confidential and use it only for the purposes for which we disclose it to them.
• Legal Compliance and Protection: If required to do so by law or in the good faith belief that such action is necessary to:
  • Comply with a legal obligation or valid governmental request (e.g., subpoena, court order).
  • Protect and defend the rights or property of Feather AI.
  • Act in urgent circumstances to protect the personal safety of users of the Service or the public.
  • Protect against legal liability.
• Business Transfers: In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, your non-PHI information may be transferred as part of the assets.
• With Your Consent: We may disclose your non-PHI for any other purpose with your consent.

B. Disclosure of PHI:

• PHI is disclosed ONLY as permitted or required by the Business Associate Agreement (BAA) and HIPAA regulations.
• Feather AI may disclose PHI to subcontractors who create, receive, maintain, or transmit PHI on behalf of Feather AI, provided that Feather AI has obtained satisfactory assurances (e.g., through a sub-BAA) that the subcontractor will comply with the same restrictions and conditions that apply to Feather AI under our BAA with you.
• Feather AI will report any Breaches of Unsecured PHI to you as required by the BAA.

6. Data Security and HIPAA Safeguards

Feather AI is committed to protecting your information from unauthorized access, use, alteration, and disclosure. We have implemented robust administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of all data, especially PHI, in accordance with the HIPAA Security Rule. Our security program is overseen by our Head of Security, Sokratis Vidros, and includes:

• Encryption: Encryption of data in transit and at rest.
• Access Controls: Strict access controls to PHI, including role-based access and least privilege principles.
• Audit Logging: Comprehensive audit trails to monitor access and activity.
• Regular Assessments: Regular security risk assessments and vulnerability scanning.
• Personnel Training: Employee training on HIPAA, security, and privacy best practices.
• Data Minimization: Efforts to limit the collection and use of PHI to the minimum necessary required for the Service.
• Physical Security: Controls to protect physical access to our data centers and infrastructure.

NO METHOD OF TRANSMISSION OVER THE INTERNET, OR METHOD OF ELECTRONIC STORAGE, IS 100% SECURE. THEREFORE, WHILE WE STRIVE TO USE COMMERCIALLY ACCEPTABLE MEANS TO PROTECT YOUR INFORMATION, WE CANNOT GUARANTEE ITS ABSOLUTE SECURITY.

7. Data Retention

We retain non-PHI for as long as your account is active or as needed to provide you the Service, and for a reasonable period thereafter to comply with our legal obligations, resolve disputes, and enforce our agreements. PHI is retained, returned, or destroyed in accordance with the terms of the Business Associate Agreement. Upon termination of your use of the Service, PHI will be handled as specified in the BAA.

8. Your Choices and Rights

• Account Information: You may review, update, or correct your account information by logging into your account settings.
• Marketing Communications: You may opt out of receiving promotional emails from Feather AI by following the unsubscribe instructions provided in those emails. Please note that even if you opt out, we may still send you non-promotional communications, such as those about your account or our ongoing business relations.
• PHI Rights: As a Covered Entity or Business Associate, you are responsible for fulfilling individual rights (e.g., access, amendment, accounting of disclosures) regarding PHI. Feather AI will assist you in fulfilling these obligations as required by the BAA.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 13. If we learn that we have collected or received personal information from a child under 13 without verification of parental consent, we will delete that information.

10. Changes to Our Privacy Policy

Feather AI may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top. We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

11. Contact Information

If you have any questions or concerns about this Privacy Policy or our privacy practices, please contact us at: