Privacy Policy

1. Scope, agreement, and relationship to other notices

This Privacy Policy (“Policy”) describes how PeakLogic and its affiliates (collectively, “PeakLogic,” “we,” “us,” or “our”) collect, use, disclose, and otherwise process personal information in connection with:

• Our public websites and domains that reference this Policy (including pages at peaklogic.co and related subdomains);
• Our web and cloud-hosted software applications, APIs, and authenticated portals that support clinical and operational workflows for healthcare organizations (collectively, the “Services”);
• Offline or non-digital interactions with us that we associate with an identifier (for example, support requests, contracting, and account administration); and
• Demonstration, training, sandbox, or evaluation environments we make available, where this Policy applies unless a separate notice states otherwise.

This Policy does not apply to information processed solely by independent third-party websites, devices, or services that we do not control (even if we link to them). It also does not replace notices your healthcare provider or employer may provide under HIPAA or other laws.

Where we process protected health information (“PHI”) as a business associate on behalf of covered entities, our processing is also governed by applicable business associate agreements (“BAAs”) and customer contracts. If a BAA or enterprise agreement conflicts with this Policy on a specific point, the agreement controls for that processing.

2. Definitions

For purposes of this Policy:

• “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked—directly or indirectly—with a particular individual or household, as defined under applicable law.
• “PHI” has the meaning given in the U.S. Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”).
• “De-identified information” means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identifiable individual, consistent with a recognized de-identification method under applicable law.
• “You” refers to individuals who interact with our websites or Services, including clinic staff, administrators, contractors, and authorized workforce members. Unless we say otherwise, “you” includes someone acting on behalf of an organization.

3. Categories of information we collect

The categories below are non-exhaustive illustrations. The specific data we collect depends on how you interact with us, how your organization configures the Services, and applicable law.

4. Purposes of processing and legal bases

We use personal information for the following purposes:

• Providing and operating the Services: account creation, authentication, authorization, hosting, storage, delivery, troubleshooting, customer support, and service improvements.
• Security and abuse prevention: detecting, investigating, and preventing fraud, misuse, unauthorized access, malware, spam, and activity that violates our policies or law.
• Compliance and legal obligations: complying with law, regulations, court orders, and lawful governmental requests; enforcing our terms; and protecting rights, privacy, safety, and property.
• Communications: service-related notices, security alerts, administrative messages, and responses to inquiries.
• Analytics and product development: understanding how the Services are used, diagnosing reliability issues, and developing new features (including using aggregated or de-identified data where appropriate).
• Corporate operations: audits, finance, reporting, mergers and acquisitions diligence, and internal investigations, subject to confidentiality safeguards.

Legal bases (EEA, UK, and Switzerland): Where GDPR or similar laws apply, we rely on one or more of: performance of a contract; legitimate interests (such as securing our Services and improving reliability), balanced against your rights; compliance with legal obligations; and consent where required (for example, certain non-essential cookies or marketing communications, where applicable).

5. How we disclose information and categories of recipients

We may disclose personal information to the following categories of recipients:

• Your organization and authorized users: administrators may access certain information consistent with their roles and your organization’s policies.
• Service providers and subprocessors: vendors that host infrastructure, provide authentication, deliver email, operate ticketing, monitor security, provide analytics, support implementation, or perform other functions on our behalf pursuant to written agreements that limit use and require appropriate security measures.
• Professional advisors: lawyers, accountants, insurers, and auditors under confidentiality obligations.
• Authorities and others when required by law: law enforcement, regulators, courts, or other governmental bodies when we believe disclosure is required or permitted by law, legal process, or to protect vital interests.
• Business transfers: a successor or acquirer in connection with a merger, acquisition, reorganization, bankruptcy, financing, or sale of assets, subject to appropriate confidentiality and continuity commitments.
• With your direction or consent: where you or your organization instructs us to disclose information, or where you provide consent where required.

We do not disclose PHI to third parties for their own marketing purposes except as permitted by law and any applicable BAA or customer agreement.

6. Sales, “sharing,” and targeted advertising

We do not sell personal information for monetary consideration. We also do not “share” personal information for cross-context behavioral advertising as defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), where those concepts apply.

We may use and disclose aggregated or de-identified information that cannot reasonably identify you for analytics, benchmarking, and service improvement.

If our practices change in a way that constitutes a “sale” or “sharing” under applicable U.S. state law, we will update this Policy and provide any legally required choices and disclosures.

7. HIPAA, PHI, and healthcare compliance

Where we create, receive, maintain, or transmit PHI on behalf of a covered entity or another business associate, we comply with HIPAA and applicable BAAs. Our obligations may include administrative, physical, and technical safeguards; minimum necessary access; breach notification requirements; and restrictions on uses and disclosures not permitted by the BAA or HIPAA.

Patients should review their provider’s Notice of Privacy Practices for how PHI is used and disclosed in care. If you are a patient seeking access to records, contact your provider; we generally act on instructions from our customer organizations for operational requests relating to the Services.

Nothing in this Policy is intended to authorize uses or disclosures of PHI that are prohibited by HIPAA, your organization’s instructions, or our agreements.

8. Service providers and subprocessors

We use a limited set of service providers to operate the Services. Depending on the deployment and integrations your organization selects, subprocessors may include infrastructure and platform providers, identity and access management providers, email and communications vendors, security monitoring tools, analytics providers, and customer support tooling.

We impose contractual obligations requiring subprocessors to use personal information only to deliver services to us, to implement appropriate security measures, and to assist us with compliance obligations where applicable. We remain responsible for the processing performed on our behalf in accordance with law, subject to the terms of our customer agreements.

Enterprise customers may have additional rights under their agreements to receive notice of changes to subprocessors or to object in limited circumstances.

9. Cookies and similar technologies

We use cookies and similar technologies for essential functions (such as security, load balancing, and session continuity), preferences (such as UI settings where stored in the browser), and analytics (where enabled).

You can control cookies through your browser settings. Blocking or deleting cookies may impact authentication, session persistence, and certain features. Some jurisdictions require consent for non-essential cookies; where required, we will obtain consent before setting non-essential cookies.

We may use analytics tools to understand traffic patterns on public pages and product usage in aggregate. Where we use third-party analytics, we configure tools to reduce identifying data where feasible (for example, IP anonymization where available) and we do not use such tools to sell personal information or to run cross-context behavioral advertising as described in Section 6.

10. Logging, monitoring, and diagnostics

We maintain server logs, application logs, security event information, and diagnostic telemetry as needed to operate reliable services, detect incidents, and support troubleshooting. We retain logs for limited periods based on security needs, legal obligations, and operational requirements.

11. Communications; marketing

We send transactional and administrative messages that are necessary to operate accounts and the Services (for example, password resets, security notices, and policy updates). You may not opt out of certain essential notices while you maintain an account, to the extent permitted by law.

Where permitted by law, we may send additional product information or event communications. You may opt out of non-essential marketing communications using the unsubscribe mechanism provided in those messages or by contacting us.

12. Aggregated and de-identified information

We may create aggregated statistics and de-identified datasets that do not reasonably identify you. We may use and disclose such information for analytics, security, research and development, and commercial purposes permitted by law.

13. Automated processing and profiling

We may use automated methods to support security (for example, risk scoring or anomaly detection), service reliability, and product operations. We do not use automated decision-making that produces legal or similarly significant effects about individuals where prohibited without appropriate safeguards; if we introduce such processing where required by law, we will provide additional information and choices.

14. Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Policy, including providing the Services, meeting legal, regulatory, tax, accounting, and contractual requirements, resolving disputes, and enforcing agreements.

Retention periods vary by data category. For example, account credentials may be retained for the life of the account plus a reasonable period thereafter; security logs may be retained for shorter periods unless a longer period is needed for incident investigation; and clinical content may be retained according to your organization’s configuration and legal obligations applicable to our customers.

When retention periods expire, we delete or de-identify information where feasible, subject to legal holds and backup rotation cycles.

15. Security measures

We implement administrative, technical, and organizational safeguards designed to protect personal information appropriate to the risk, which may include:

• Access controls, least privilege, and role-based permissions;
• Encryption in transit and encryption for stored data where appropriate;
• Network segmentation, monitoring, and vulnerability management practices;
• Logging, auditing, and security incident response procedures;
• Vendor diligence and contractual security requirements;
• Personnel training and confidentiality obligations.

No method of transmission or storage is completely secure. You are responsible for safeguarding credentials and following your organization’s security policies.

16. International data transfers

PeakLogic is based in the United States and processes information in the United States and other countries where we or our service providers maintain facilities. If we transfer personal data from the EEA, UK, or Switzerland to countries not deemed adequate, we rely on appropriate safeguards such as Standard Contractual Clauses and supplementary measures where required, unless another lawful transfer mechanism applies.

17. Your privacy rights and choices

Depending on where you live, you may have rights regarding your personal information. These rights are not absolute and may be limited by law (for example, where we must retain data for legal compliance or where your organization controls certain data as an independent controller).

18. How to exercise your rights; verification

To submit a request, contact us using the details in Contact us. We may need to verify your identity before responding and may request additional information reasonably necessary to process your request. You may designate an authorized agent where permitted by law, subject to verification and written authorization unless otherwise allowed.

We will respond within the timeframes required by applicable law. If we deny a request, we will explain why, to the extent required.

19. Appeals; non-discrimination

Where applicable law provides a right to appeal, you may appeal our decision by contacting us and describing your concern. We will explain any further steps available under law.

We will not discriminate against you for exercising privacy rights, except as permitted by law (for example, certain loyalty or pricing differences tied to voluntary programs with notice).

We do not offer financial incentives in exchange for personal information at this time. If that changes, we will provide required notices and consent mechanisms.

20. Children’s privacy

The Services are not directed to children under 13 (or the minimum age required in your jurisdiction) for independent account registration. We do not knowingly solicit personal information from children for marketing purposes. If you believe we have collected information from a child inappropriately, contact us and we will take appropriate steps.

Healthcare organizations may process pediatric patient information in the Services under their own policies and legal obligations; that processing is governed by HIPAA and the customer relationship, not children’s marketing rules.

21. Third-party links, integrations, and co-branded experiences

Our websites may link to third-party sites (for example, prtms.com). Third-party sites are governed by their own policies.

Your organization may enable integrations between the Services and third-party systems. Those third parties process information under their own terms and privacy policies, and your organization’s agreements with them may apply.

22. Global Privacy Control; “Do Not Track”

Some browsers transmit “Do Not Track” signals. There is no consistent industry standard for how to respond to DNT; we treat DNT as one signal among many and may not alter essential Service functionality based solely on DNT.

Where required by law, we honor validated universal opt-out signals such as the Global Privacy Control (GPC) for applicable browser-based collections, to the extent required for the processing activity and jurisdiction.

23. Sensitive data; files and recordings

Depending on your organization’s workflows, files uploaded to the Services may include clinical or operational content subject to heightened protections under HIPAA, state law, or contractual obligations. You should treat such content as sensitive and limit uploads to what is necessary for authorized workflows.

Unless separately disclosed in a product-specific notice, we do not use uploaded clinical files to train generalized public artificial intelligence models.

24. Additional U.S. state disclosures

25. Controller; representatives; supervisory authorities

Depending on the processing activity, PeakLogic or your organization may act as a controller or processor. Where PeakLogic is a controller, PeakLogic is responsible for the processing described in this Policy.

If we appoint EU/UK representatives or data protection officers for specific offerings, we will post their contact details on this page or in a supplemental notice.

You may lodge a complaint with your local supervisory authority. We ask that you contact us first so we can try to resolve your concern directly.

26. Changes to this Policy

We may update this Policy periodically. We will post the revised Policy on this page and update the “Last updated” date. If changes are material, we will provide additional notice as required by law (for example, email notice, in-product notification, or consent where required).

Your continued use of the Services after the effective date of changes constitutes your acknowledgment of the revised Policy, where permitted by law.

27. Contact us

For privacy questions, requests, or complaints, contact us through Contact or Support.

You may also write to us at:

PeakLogic
12625 High Bluff Drive, Suite 318
San Diego, CA 92130
United States

Phone: (619) 877-8672