Skip to main content
Privacy & Security

Privacy Policy

Last Updated: January 1, 2025 · Effective Date: January 1, 2025

1. Introduction

Datricx ("we," "us," or "our") operates an AI-powered medical billing and revenue cycle management (RCM) platform. This Privacy Policy describes how we collect, use, disclose, and protect information about you and your patients when you use our Service.

Because our Service processes healthcare data, we operate under both general privacy principles and HIPAA (Health Insurance Portability and Accountability Act) requirements. This policy covers both types of data: (1) practice and account information you provide, and (2) patient health data processed through the Service.

2. Information We Collect

Account and Practice Information

When you register and use Datricx, we collect:

  • Contact information: name, email address, phone number
  • Practice information: practice name, NPI, specialty, state, address
  • Account credentials (passwords are hashed and never stored in plaintext)
  • Payment information processed by Paddle (we do not store card details)
  • Usage data: features used, claims submitted, session activity

Patient Health Information (PHI)

To provide medical billing services, we process clinical and administrative data you submit, including patient demographics, insurance information, diagnosis codes, procedure codes, and session notes. This data constitutes Protected Health Information (PHI) under HIPAA and is handled under a signed Business Associate Agreement (BAA).

Technical Data

We automatically collect certain technical information including IP addresses, browser type, operating system, page views, and error logs to operate and improve the Service.

3. HIPAA Compliance and PHI Handling

Business Associate Agreement

Datricx is a HIPAA Business Associate. We sign a Business Associate Agreement (BAA) with every customer before processing any PHI. The BAA outlines our obligations to safeguard PHI, report breaches, and use PHI only for permitted purposes.

PHI De-identification Before AI Processing

Datricx never sends identifiable PHI to any external AI model. Before clinical notes or patient data are processed by our AI coding engine, we apply HIPAA Safe Harbor de-identification (45 CFR §164.514(b)) — removing all 18 HIPAA identifiers including names, dates of birth, addresses, and health plan beneficiary numbers. The de-identified data used for AI coding cannot be re-linked to an individual patient.

AI Provider

Our AI coding and denial management features use Google Gemini (Google LLC) as the underlying AI model. All data transmitted to Google Gemini is de-identified as described above. We do not use OpenAI, Anthropic, or any AI provider that would receive identifiable PHI.

Data Storage

PHI is stored in encrypted databases (AES-256 encryption at rest) hosted on Supabase, which provides SOC 2 Type II compliant infrastructure. Data is encrypted in transit using TLS 1.2 or higher.

Access Controls

PHI access is restricted to authorized staff at your practice using role-based access controls. Datricx staff access PHI only when necessary to provide support or investigate a security incident, and only under strict internal access controls and audit logging.

4. How We Use Your Information

We use collected information to:

  • Provide, operate, and improve the Datricx platform
  • Process and submit medical claims on your behalf
  • Generate AI-assisted ICD-10/CPT coding suggestions
  • Send ERA payments to your practice management system
  • Detect and prevent denial patterns
  • Send product updates, billing notifications, and support communications
  • Comply with legal obligations and HIPAA requirements
  • Analyze aggregate, de-identified usage patterns to improve our AI models

We do not sell, rent, or trade your personal information or PHI to any third party for marketing or advertising purposes.

5. Information Sharing and Disclosure

Service Providers

We share information with trusted service providers who assist us in operating the Service, subject to confidentiality obligations:

  • Paddle (paddle.com) — payment processing. Paddle processes subscription payments under their own privacy policy. We share billing email and plan details only.
  • Supabase — secure database and authentication infrastructure.
  • Google LLC (Gemini) — AI processing of de-identified clinical data only.
  • Clearinghouses — claim submission to payers (Office Ally, Availity, etc.) under standard EDI agreements.

Legal Requirements

We may disclose information if required by law, regulation, court order, or to protect the rights, property, or safety of Datricx, our customers, or others.

Business Transfers

In the event of a merger, acquisition, or sale of substantially all assets, customer data may be transferred to the successor entity, subject to the same privacy protections.

6. Data Retention

We retain your account and practice data for the duration of your subscription plus 90 days after termination, after which it is permanently deleted. PHI is retained in accordance with HIPAA requirements (minimum 6 years from creation or last effective date) and applicable state medical record retention laws. You may request earlier deletion of non-PHI account data at any time.

7. Security

We implement industry-standard security measures including:

  • AES-256 encryption for all data at rest
  • TLS 1.2+ encryption for all data in transit
  • Multi-factor authentication support
  • Role-based access controls and audit logs
  • Regular security assessments and vulnerability scanning
  • Incident response procedures for breach notification within 60 days as required by HIPAA

No transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately at security@datricx.com.

8. Your Rights

Account Data

You have the right to:

  • Access and export your account and practice data at any time from Settings
  • Correct inaccurate account information
  • Request deletion of non-PHI account data
  • Opt out of non-essential marketing communications

Patient Rights (HIPAA)

As a covered entity, you are responsible for fulfilling patient rights under HIPAA (access, amendment, accounting of disclosures, etc.). Datricx will assist you in fulfilling these obligations as specified in the BAA.

9. Cookies and Tracking

Our marketing website (datricx.com) uses functional cookies necessary for the site to operate and optional analytics cookies to understand traffic. You may decline non-essential cookies via our cookie banner. The Datricx application (app.datricx.com) uses only functional cookies required for session management and authentication — no advertising or third-party tracking cookies.

10. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children. Patient data submitted through the Service may include data for minor patients as part of legitimate pediatric billing — this data is processed solely for claim submission and is protected under the same HIPAA safeguards as all PHI.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to your registered address at least 14 days before taking effect. The "Last Updated" date at the top of this page reflects the most recent revision.

12. Contact Us

For privacy inquiries, data requests, or HIPAA-related questions: