Privacy & Security Notice

Individual Access Services

Effective Date: March 17, 2026

Last Updated: April 14, 2026

This Privacy & Security Notice describes how ClearChartAI, Inc. ("ClearChartAI," "we," "us," or "our") protects your information when providing Individual Access Services (IAS).

This Notice applies specifically to ClearChartAI's Individual Access Services provided under the Trusted Exchange Framework and Common Agreement (TEFCA). Individual Access Services allow you to obtain access to your health information from participating healthcare providers and health information networks.

ClearChartAI is required to act in conformance with this Privacy & Security Notice and must protect the security of the information it holds in accordance with the applicable Framework Agreement.

For general information about how ClearChartAI collects, uses, and protects your information, see our Privacy Policy.

By using ClearChartAI's Individual Access Services, you acknowledge and consent to the privacy and security practices described in this Notice.

1. Type of Individual Access Services

ClearChartAI provides Request-only Individual Access Services. This means:

  • We request and retrieve copies of your health information from participating healthcare providers on your behalf.
  • We do not respond to queries from other TEFCA participants or disclose your health information to third parties through the TEFCA network.
  • Your health records are retrieved solely for your personal access and use.

REQUEST-ONLY IAS PROVIDER: CLEARCHARTAI DOES NOT PROVIDE BIDIRECTIONAL SERVICES. YOU WILL HAVE THE ABILITY TO REQUEST ACCESS TO YOUR HEALTH INFORMATION VIA TEFCA EXCHANGE. YOU WILL NOT BE ABLE TO USE CLEARCHARTAI TO SHARE YOUR HEALTH INFORMATION WITH OTHER PARTICIPANTS IN TEFCA.

2. Our Commitment to Privacy and Security

ClearChartAI uses commercially reasonable administrative, technical, and physical safeguards to protect your information from unauthorized access, modification, use, or destruction. These safeguards include:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Role-based access controls
  • Multi-factor authentication
  • Secure cloud infrastructure hosted in the United States
  • Continuous security monitoring
  • Detailed audit logging
  • Identity verification prior to medical record retrieval

ClearChartAI's privacy and security obligations under this Notice continue for as long as ClearChartAI maintains your information.

3. Information We Maintain

ClearChartAI may maintain the following information in connection with Individual Access Services:

  • Identifiers such as name, email address, and phone number
  • Identity verification information used to confirm your identity
  • Health information retrieved at your direction from healthcare providers
  • System interaction logs and audit records

This information may include Individually Identifiable Information, which is information that identifies an individual or could reasonably be used to identify an individual.

4. How Information Is Used

ClearChartAI uses information solely to:

  • Verify your identity before retrieving medical records
  • Retrieve medical records at your request
  • Organize and present health information to you
  • Generate educational insights using artificial intelligence tools
  • Maintain system integrity, compliance, and audit logs
  • Comply with applicable legal and regulatory obligations

ClearChartAI does not sell Individually Identifiable Information.

ClearChartAI does not use Individually Identifiable Information for targeted advertising or marketing purposes.

ClearChartAI does not use identifiable health information to train public artificial intelligence models.

ClearChartAI does not de-identify Individually Identifiable Information for secondary use, sale, or disclosure. No de-identified data is created, used, or disclosed in connection with Individual Access Services.

Individually Identifiable Information maintained by ClearChartAI in connection with Individual Access Services will not be used to assert any type of claim against the Individual, except for the collection of fees as disclosed in this Notice.

Any disclosures through TEFCA exchange occur only as permitted under the TEFCA Common Agreement and applicable U.S. Department of Health and Human Services guidance.

ClearChartAI will provide written or electronic notice to affected Individuals within three (3) business days of receiving a civil or criminal subpoena, court order, search warrant, or other demand for compulsory disclosure of Individually Identifiable Information, unless prohibited by applicable law. Affected Individuals will be afforded the right to object or seek a protective order or other appropriate remedy consistent with applicable law.

ClearChartAI will provide written or electronic notice to affected Individuals within three (3) business days of making Individually Identifiable Information available to law enforcement agencies, including through sale of Individually Identifiable data, unless prohibited by applicable law.

5. Third-Party Service Providers

ClearChartAI may share information with trusted service providers that support operation of Individual Access Services. These providers are contractually required to maintain appropriate privacy and security protections, including commercially reasonable administrative, technical, and physical safeguards to protect Individually Identifiable Information from unauthorized access, modification, use, or destruction.

Google Cloud Platform (Google LLC)

Cloud infrastructure, data storage, and AI processing. All health data is stored and processed under a signed Business Associate Agreement (BAA). Google Cloud is required to encrypt all data in transit and at rest, restrict access to authorized personnel only, and maintain SOC 2 Type II and ISO 27001 certifications. Google Cloud does not access, use, or disclose health data except as necessary to provide the contracted services.

Persona (PersonaIdentities, Inc.)

Identity verification services (Credential Service Provider). Persona verifies your identity through government-issued ID and selfie comparison before ClearChartAI can retrieve your medical records. Persona is Kantara-certified for IAL2 identity assurance. Persona is required to encrypt verification data, limit retention to what is necessary for the verification process, and not use your identity data for any purpose other than identity verification on behalf of ClearChartAI.

CommonWell Health Alliance

Health information network used to locate and retrieve medical records from participating healthcare providers through the TEFCA framework. CommonWell operates under the Trusted Exchange Framework and Common Agreement and is required to comply with all applicable TEFCA privacy and security requirements. Data exchanged through CommonWell follows TEFCA rules, and ClearChartAI does not control the privacy practices of the healthcare providers from whom records are retrieved.

6. Consent

Before ClearChartAI retrieves or processes medical records through Individual Access Services, you must provide express documented consent acknowledging this Privacy & Security Notice.

Consent is recorded electronically and maintained in a secure auditable log. ClearChartAI will not access, retrieve, or exchange health information through Individual Access Services without your documented authorization.

7. Revocation of Consent

You may revoke your authorization for ClearChartAI to access or retrieve health records at any time. To revoke your consent:

  1. Within the ClearChartAI application: Log in to your account, navigate to Security Settings, and select "Revoke IAS Access." Your revocation will take effect immediately.
  2. By contacting us: Send an email to team@clearchartai.io with the subject line "Revoke IAS Consent" and include your full name and account email. We will process your request within two (2) business days.

Once consent is revoked:

  • ClearChartAI will stop retrieving or exchanging health information through Individual Access Services;
  • Access to Individual Access Services will be terminated;
  • Previously retrieved records will remain in your account unless you separately request deletion;
  • Actions taken prior to revocation will not be affected.

For standalone revocation instructions, please visit our Revoke IAS Consent page.

8. Security Incident Notification

If ClearChartAI becomes aware that your information has been or is reasonably believed to have been affected by a TEFCA security incident or breach of unencrypted information, you will be notified in accordance with applicable law. Such notice will include:

  • A description of what happened and when
  • The types of information involved
  • Steps you can take to protect yourself
  • Actions taken by ClearChartAI to investigate and prevent future incidents
  • Contact information for further assistance (phone, email, and website)

9. Individual Rights and Choices

As a user of ClearChartAI's Individual Access Services, you have the following rights:

  • Access your Individually Identifiable Information maintained by ClearChartAI
  • Obtain a machine-readable export of your information, including the means to interpret the format
  • Request deletion of your information, to the extent technically feasible, with respect to any future uses or disclosures, unless such deletion is prohibited by applicable law (this does not apply to information contained in audit logs)
  • Revoke authorization for ClearChartAI to retrieve health records
  • Be notified of security incidents affecting your data

You also have the following choices regarding the collection, use, deletion, and disclosure of your Individually Identifiable Information:

  • Collection: You choose whether to use Individual Access Services. No health information is collected unless you initiate a records request.
  • Use: Your health information is used only to provide Individual Access Services to you as described in this Notice. You may contact us to restrict specific uses.
  • Deletion: You may delete individual records at any time through the platform, or request complete deletion of all your data by deleting your account. Account deletion includes a 7-day grace period during which you may cancel the request. If you need immediate deletion, you may contact our support team at team@clearchartai.io.
  • Disclosure: ClearChartAI is a Request-Only IAS Provider. Your information is not disclosed to other TEFCA participants. You control which records are shared with your healthcare providers through the Share-to-Provider feature.

Requests may be submitted through the ClearChartAI platform or by contacting ClearChartAI directly using the contact information below.

10. Data Retention

ClearChartAI retains health information, documents, and related data for as long as your account is active. You may delete individual records at any time through the ClearChartAI platform.

Upon revocation of IAS consent, ClearChartAI will cease retrieving health information through Individual Access Services. Previously retrieved records will remain in your account unless you separately request deletion. You may request deletion of your health data at any time through the ClearChartAI platform or by contacting us.

Upon account deletion confirmation, a 7-day grace period begins during which you may cancel the request. After the grace period, health data is permanently removed from active systems, except where retention is required by law. If you provide a reason for closing your account, it may be used to improve our services. Audit logs, compliance records, and identity verification records are retained for a minimum of six (6) years in accordance with HIPAA requirements (45 CFR §164.530(j)), regardless of account status.

11. HIPAA Status

ClearChartAI is not a covered entity under HIPAA. In certain contexts, ClearChartAI may operate as a Business Associate under agreements with healthcare organizations. In those situations, ClearChartAI handles Protected Health Information in accordance with applicable HIPAA requirements and contractual obligations.

Data shared through TEFCA follows the rules established by the Trusted Exchange Framework and Common Agreement.

12. Fees

Individual Access Services are currently provided at no cost. If fees are introduced in the future, you will be notified before any charges apply, and fee details will be clearly posted. No fees are charged for the exercise of any individual rights described in this Notice.

13. Privacy Complaints

If you have concerns about how ClearChartAI handles your information in connection with Individual Access Services, you may submit a complaint to the contact information listed below. ClearChartAI maintains a process for tracking and responding to privacy-related complaints in a timely manner.

You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.

14. Changes to This Notice

We may update this Privacy & Security Notice periodically. Any material updates will be clearly posted and conspicuously displayed so that you can readily identify changes from the previous version. Existing users will be reasonably notified of material changes.

15. Contact Information

For questions, privacy requests, or complaints regarding this Notice, contact:

ClearChartAI Privacy Office

ClearChartAI, Inc.

131 Continental Dr, Suite 305, Newark, DE 19713

Phone: (530) 260-8027

Email: team@clearchartai.io

Website: https://clearchartai.io

© 2026 ClearChartAI, Inc. All rights reserved.

Privacy PolicyTerms & ConditionsHome