Privacy Policy
Last updated: July 14, 2026
Calypta Systems, Inc. ("Calypta," "we," "us," or "our") operates the Calypta Health platform. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our website and services.
Calypta Health offers two ways to access health guides: public guides available directly on our website, and partner-sponsored passes shared by clinicians and health organizations. These access modes have different privacy characteristics, described below.
1. Information We Collect
Public Guide Users
By default, you can browse a public guide and have a conversation without providing your name, email address, or any other contact information. When you use a public health guide on our website and choose to start a conversation, we collect:
- Survey responses
- Chat conversation content (with automatic PII redaction — see Section 3)
- Flow activity metadata (cards viewed, completion status, timestamps)
- A record of your agreement to our Terms of Use and this Privacy Policy (the date of your acceptance and the document versions in effect)
- IP address and user agent (for security and abuse prevention)
In some circumstances (for example, abuse prevention) we may require you to verify an email address before starting a conversation. If you do, we also collect your verified email address, and Calypta can link that email address to the conversation you start. We use this link for verification, abuse prevention, and support. Your email address is not sent to AI model providers. If you were not asked to verify an email, we do not collect your name or contact information, and your conversation is not linked to them — though technical identifiers such as IP address are retained separately for security (see Section 5).
We use a browser cookie and local storage to maintain your session. The cookie is scoped to your specific session, is not used for tracking or advertising, and expires when the session ends or after 30 days.
Browsing the guide content (cards, surveys) does not require an email or account. Starting the AI-powered conversation requires agreeing to our Terms of Use and this Privacy Policy; it does not require an email address unless we indicate otherwise.
Partner Accounts
When you create an account to share Calypta flows with patients or members ("Partner Account"), we collect:
- Your name and work email address
- Your professional role
- Health topics you're interested in
- Login timestamps and IP addresses (for security purposes)
Pass Recipients (Default Mode)
When someone uses a partner-sponsored pass to access a flow, Calypta is intentionally designed to minimize or avoid linking the pass recipient's identity to their flow interaction data. We collect:
- Survey responses (not linked to any individual)
- Chat conversation content (de-identified, with PII automatically redacted)
- Session metadata (timestamps, flow completion status)
- A record of your agreement to our Terms of Use and this Privacy Policy (the date of your acceptance and the document versions in effect)
Session continuity is maintained through a browser cookie scoped to the specific session. The cookie is not used for tracking or advertising and expires when the session ends or after 30 days.
Pass Recipients (Enterprise Mode)
Some organizations choose to operate in enterprise mode under a Business Associate Agreement. In this mode, with recipient consent, we may additionally collect:
- Information linking a pass to a specific recipient
- Full conversation transcripts (without PII redaction)
- Additional identifiers provided by the sponsoring organization
Enterprise mode data is handled in accordance with HIPAA requirements and the terms of our Business Associate Agreement with the sponsoring organization. Recipients may opt out of data sharing even in enterprise mode.
Community Contributors
If you contribute money to fund conversations for a guide, your payment is processed by a third-party payment processor. We do not receive or store your full payment card number. We do receive from the processor, and retain:
- The email address you provide at checkout (used to acknowledge your contribution)
- Transaction identifiers, the amount, and the guide you funded
Contribution records are not linked to any conversation content, including your own.
Website Visitors
When you visit our marketing website, we may collect basic analytics data (pages viewed, referral source) to improve our services.
2. How We Use Information
We use the information we collect to:
- Provide, maintain, and improve our services
- Authenticate Partner Account holders
- Record your agreement to our Terms of Use and this Privacy Policy
- Verify email addresses, where email verification is required for chat access
- Enable users to resume active sessions within the session period
- Manage funded conversation capacity for public guides
- Track pass redemption counts (not identities) for quota management
- Analyze de-identified conversation and survey data to improve our flows
- Conduct research on health decision support effectiveness
- Detect and prevent fraud, abuse, and security incidents
- Communicate with Partner Account holders and public guide users about their sessions
3. Automatic PII Redaction
We automatically detect and redact personally identifiable information (such as names, addresses, and phone numbers) from chat conversations before storage. This applies even when users voluntarily share such information during a conversation.
Redaction is performed by an automated detection service that processes your message text for this purpose. Automated detection is a reasonable-efforts safeguard, not a guarantee: it may occasionally miss identifying details, and in rare technical-failure cases a message may be stored without redaction. This is why we ask you not to share personal information in the conversation in the first place.
This redaction applies to chat conversation content, not to contact information you intentionally provide outside the conversation (such as an email address submitted at an email verification step, where one is required). A verified email address is stored separately from your conversation and is not processed by our AI providers.
4. Third-Party Services
We use third-party service providers to operate Calypta Health. Different categories of providers process different categories of data:
- Cloud infrastructure providers host the platform and store encrypted data.
- AI service providers process chat conversations. They receive de-identified conversation content but do not receive your email address or other contact information.
- Email delivery services send verification codes and account communications. They receive your email address but not your conversation content.
- Payment processors handle transactions for Partner Accounts and community contributions. The processor receives your payment details; what Calypta itself receives and retains for contributions is described in Section 1 ("Community Contributors").
- An automated PII-detection service processes chat message text in order to redact identifying details before storage (see Section 3).
All providers process data on our behalf under contractual obligations to protect your information.
5. Data Retention
- Partner Account data: Retained while your account is active and for up to 3 years after account closure for legal and audit purposes.
- Public guide contact records: Where email verification was used, verified email addresses and associated session metadata are retained for a limited period after the session ends. We may delete this data on a periodic basis; you may also request deletion at any time.
- Consent records: Records of your agreement to our Terms of Use and this Privacy Policy (acceptance date and document versions) are retained with the associated session records for as long as needed to demonstrate that agreement.
- Email verification challenges: Verification codes expire within minutes. Verification records are removed after successful verification or replacement by a new code.
- De-identified research data: Survey responses and redacted chat transcripts may be retained indefinitely for research and product improvement purposes. This data cannot be linked to any individual.
- Security logs: IP addresses and access logs are retained for up to 90 days for security monitoring.
6. Data Security
We implement appropriate technical and organizational measures to protect your information, including:
- Encryption in transit (TLS) and at rest
- Access controls and authentication requirements
- Regular security assessments
- Architectural separation between pass issuance and redemption systems
- Browser-bound session ownership (sessions cannot be transferred by sharing a URL)
7. Cookies and Local Storage
When you start a health guide (either through a public guide or a partner-sponsored pass), we set a browser cookie to identify you as the owner of that session. This cookie:
- Is scoped to your specific session (not shared across sessions or flows)
- Is HttpOnly and cannot be read by other websites or scripts
- Expires when the session ends or after 30 days
- Is not used for advertising, analytics, or cross-site tracking
We also use browser storage to save your progress within a guide, so you can resume where you left off if you close and reopen the page. The specific storage mechanism varies by access mode but is always limited to your browser and is not shared with other sites.
8. Your Rights
All Users
You may contact us at any time to request access to, correction of, or deletion of your personal information.
Public Guide Users
By default, public guide conversations are not linked to your identity: no contact information is collected and conversation content is automatically PII-redacted (see Section 3 for that safeguard's limits). This means we generally cannot locate or delete a specific anonymous conversation in response to an individual request — and, equally, that the data is designed not to identify you.
If you verified an email address for your session, we can locate and delete your contact record and associated session data on request. Contact us at privacy@calyptahealth.com with the email address you used.
Pass Recipients (Default Mode)
In default mode, flow interaction data (survey responses, chat transcripts) is not linked to any identifiable individual. Because this data is not connected to a specific person, we are unable to locate or delete specific records in response to individual requests. However, this also means the data is designed not to identify you.
California Residents (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect about you
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell personal information)
- Not be discriminated against for exercising your privacy rights
European Users (GDPR)
If you are in the European Economic Area, you have additional rights including the right to data portability, the right to restrict processing, and the right to lodge a complaint with a supervisory authority.
9. Children's Privacy
Calypta Health is intended for users who are 18 years of age or older. We do not knowingly collect personal information from children under 18.
Some of our guides address health decisions for minors. In these cases, the intended user is the parent or guardian making the decision, not the minor.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page, and starting a new AI conversation will require accepting the revised policy. We will notify Partner Account holders of material changes by email or through the service. For uses of Calypta Health that do not involve starting a conversation, continued use after changes take effect constitutes acceptance of the revised policy.
11. Contact Us
If you have questions about this Privacy Policy or our privacy practices, contact us at:
Calypta Systems, Inc.
Email: privacy@calyptahealth.com