Privacy Policy

1. Introduction

CredFlow AI ("CredFlow," "we," "us," or "our") is committed to protecting your privacy and maintaining the security of your personal and protected health information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our medical credentialing software platform and AI-powered services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Services.

2. Information We Collect

2.1 Healthcare Provider Information

In the course of providing credentialing and enrollment services, we collect and process:

• Provider demographic information including name, National Provider Identifier (NPI), addresses, and contact details
• Professional credentials including medical licenses, DEA registrations, board certifications, and malpractice insurance information
• Educational background, training history, and work experience
• Practice location information and organizational affiliations
• Tax identification numbers (TIN) and billing information

2.2 Payer Network Data

We collect and maintain information about healthcare payer networks, including enrollment status, network participation, and directory information necessary to verify provider credentials and maintain accurate provider directories.

2.3 Account and User Information

When you create an account or use our Services, we collect:

• Name, email address, phone number, and job title
• Organization name and business information
• Login credentials and authentication information
• User preferences and system settings

2.4 Usage and Technical Data

We automatically collect certain information about your device and how you interact with our Services:

• IP address, browser type, operating system, and device information
• Log data including access times, pages viewed, and actions taken within the platform
• Cookies and similar tracking technologies to enhance user experience and platform functionality
• Performance metrics and error reports to improve service quality

2.5 Communications

We collect information you provide when you contact our support team, participate in surveys, or communicate with us through our AI Communication Center or AI Telecaller features.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

• Processing credentialing applications and Primary Source Verification (PSV) requirements
• Managing payer enrollment and roster automation workflows
• Conducting continuous monitoring of licenses, certifications, and sanctions
• Providing real-time network intelligence and provider directory verification
• Generating compliance reports and revenue-at-risk dashboards

3.2 Platform Improvement and AI Training

• Training and improving our AI agents to enhance automation accuracy
• Analyzing usage patterns to optimize workflows and user experience
• Developing new features and functionality
• Identifying and resolving technical issues

3.3 Communication and Support

• Responding to inquiries and providing customer support
• Sending service updates, security alerts, and administrative messages
• Providing training and onboarding assistance
• Sending marketing communications about our Services (with your consent where required)

3.4 Compliance and Legal Obligations

• Complying with applicable healthcare regulations including HIPAA, the No Surprises Act, and state-specific requirements
• Maintaining audit trails and evidence artifacts for regulatory compliance
• Detecting and preventing fraud, security incidents, and unauthorized access
• Responding to legal requests and enforcing our terms of service

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

4.1 With Healthcare Payers

We share provider credentialing information with healthcare payers as necessary to facilitate enrollment, maintain provider directories, and ensure compliance with payer network requirements. This sharing is essential to the credentialing process and is conducted pursuant to Business Associate Agreements where applicable.

4.2 With Primary Source Verification Entities

We transmit provider information to authoritative sources such as state medical boards, DEA, and certification bodies to verify credentials and conduct ongoing monitoring.

4.3 With Your Organization

If you use our Services as part of a healthcare organization, we share information with authorized users within your organization as necessary to provide the Services and fulfill credentialing requirements.

4.4 Service Providers

We engage trusted third-party service providers who perform services on our behalf, including:

• Cloud infrastructure and hosting providers
• Data analytics and business intelligence services
• Communication and customer support platforms
• Security and fraud prevention services

These service providers are contractually obligated to protect your information and may only use it to provide services to us.

4.5 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to:

• Comply with applicable laws and regulations
• Respond to lawful requests from public authorities
• Protect the rights, property, or safety of CredFlow, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues

4.6 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

5. Data Security

We implement comprehensive security measures to protect your information from unauthorized access, alteration, disclosure, or destruction:

• End-to-end encryption for data in transit and at rest
• Multi-factor authentication and role-based access controls
• Regular security assessments and penetration testing
• Comprehensive audit logging and monitoring systems
• Employee training on data protection and security best practices
• Incident response procedures and breach notification protocols
• HIPAA-compliant infrastructure and business processes

While we strive to protect your information using industry-standard security measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security but maintain commercially reasonable safeguards.

6. HIPAA Compliance

As a provider of healthcare credentialing services, CredFlow operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We:

• Enter into Business Associate Agreements (BAAs) with covered entities and other business associates
• Implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule
• Use and disclose Protected Health Information (PHI) only as permitted by applicable BAAs and HIPAA regulations
• Maintain breach notification procedures in accordance with HIPAA requirements
• Provide individuals with rights regarding their PHI as required by law

7. Data Retention

We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Retention periods vary based on:

• The nature of the information and purpose for collection
• Healthcare regulatory requirements and credentialing standards
• Legal and contractual obligations
• Audit and compliance documentation requirements

When information is no longer needed, we securely delete or anonymize it in accordance with our data retention policies and applicable regulations.

8. Your Rights and Choices

8.1 Access and Correction

You have the right to access and update your personal information. You may review and modify your account information through the platform or by contacting us at hello@credflow.ai.

8.2 Data Portability

Where technically feasible and legally required, you may request a copy of your information in a portable format.

8.3 Deletion Requests

You may request deletion of your personal information, subject to certain limitations. We may retain information as required by law, for legitimate business purposes, or to fulfill regulatory obligations in the healthcare credentialing context.

8.4 Marketing Communications

You may opt out of receiving marketing communications by following the unsubscribe instructions in our emails or contacting us directly. Note that you will continue to receive transactional and service-related communications.

8.5 Cookies and Tracking

Most web browsers allow you to control cookies through their settings. However, disabling cookies may limit your ability to use certain features of our Services.

9. State-Specific Privacy Rights

9.1 California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information we collect, use, disclose, and sell
• Right to request deletion of personal information
• Right to opt out of the sale or sharing of personal information (we do not sell personal information)
• Right to correct inaccurate personal information
• Right to limit use and disclosure of sensitive personal information
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at hello@credflow.ai. We will verify your identity before responding to your request.

9.2 Other State Privacy Laws

If you reside in Virginia, Colorado, Connecticut, Utah, or other states with comprehensive privacy laws, you may have similar rights. Please contact us to exercise your rights under applicable state law.

10. International Data Transfers

Our Services are primarily intended for users in the United States. If you access our Services from outside the United States, your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. By using our Services, you consent to such transfers.

We implement appropriate safeguards for international data transfers in accordance with applicable data protection laws.

11. Children's Privacy

Our Services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete such information promptly.

12. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not operated by CredFlow. This Privacy Policy does not apply to third-party sites or services. We encourage you to review the privacy policies of any third-party services you access.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated Privacy Policy on our website with a new effective date
• Sending an email notification to the address associated with your account
• Displaying a prominent notice within our Services

Your continued use of the Services after the effective date of the updated Privacy Policy constitutes acceptance of the changes. We encourage you to review this Privacy Policy periodically.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

For HIPAA-related inquiries or to exercise rights regarding Protected Health Information, please contact our Privacy Officer at the email address above.

Last Updated: December 29, 2025