Privacy Policy

Artificer Health, Inc. Effective Date: April 2, 2026 Last Updated: April 2, 2026

Artificer Health, Inc. ("Artificer Health," "we," "us," or "our") is committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, disclose, and protect information when you visit our website at www.artificerhealth.com (the "Website"), use our prior authorization automation platform (the "Platform"), or otherwise interact with us.

Artificer Health is a Delaware C Corporation headquartered in Florida. We provide prior authorization automation services to healthcare providers, health plans, and their patients. In the course of providing these services, we may process protected health information ("PHI") as a business associate under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH").

If you are a patient or health plan member, your healthcare provider or health plan (the "Covered Entity") maintains its own Notice of Privacy Practices that governs how your PHI is used and disclosed. This Privacy Policy supplements — but does not replace — the Covered Entity's Notice of Privacy Practices.

1. Scope

This Privacy Policy applies to:

Website Visitors: Individuals who visit www.artificerhealth.com.
Platform Users: Healthcare providers, practice administrators, payer personnel, and other authorized users who access the Platform.
Patients and Health Plan Members: Individuals whose PHI is processed by Artificer Health on behalf of a Covered Entity.
Business Contacts: Individuals who contact us for sales inquiries, demo requests, partnership discussions, or other business purposes.

This Privacy Policy does not apply to information collected by third-party websites or services linked from our Website, even if we provide the link. We encourage you to review the privacy policies of any third-party services you access.

2. Information We Collect

2.1 Information You Provide Directly

Contact and Business Information: Name, email address, phone number, organization name, job title, and mailing address when you submit a form, request a demo, sign up for our newsletter, or contact us.
Account Information: Login credentials, user preferences, and account settings when you create an account on the Platform.
Communications: Information you include in emails, form submissions, chat messages, or other communications with us.

2.2 Protected Health Information (PHI)

When we provide prior authorization services on behalf of a Covered Entity, we may process PHI including but not limited to:

Patient names and demographic information
Dates of birth, dates of service, and other dates related to care
Insurance and health plan information
Diagnosis codes, procedure codes, and treatment plans
Prior authorization request and determination details
Clinical documentation supporting prior authorization requests

We process PHI only as a business associate on behalf of Covered Entities, pursuant to a Business Associate Agreement ("BAA"). We do not use PHI for our own independent purposes outside the scope of the BAA and applicable law.

2.3 Information Collected Automatically

When you visit our Website, we may automatically collect:

Device and Browser Information: IP address, browser type and version, operating system, device type, and screen resolution.
Usage Data: Pages visited, time spent on pages, referring URL, clickstream data, and search queries within the Website.
Cookies and Similar Technologies: We use cookies, web beacons, pixels, and similar tracking technologies as described in Section 8 below.

2.4 Information from Third Parties

We may receive information about you from:

EHR and Practice Management Systems: Clinical and administrative data received through authorized integrations with electronic health record systems.
Health Plans and Payers: Prior authorization requirements, coverage information, and determination data received through authorized payer integrations.
Analytics Providers: Aggregated website analytics data from services such as Google Analytics or HubSpot.

3. How We Use Your Information

3.1 Website and Business Purposes

We use contact, business, and automatically collected information to:

Respond to your inquiries, demo requests, and support requests.
Provide, maintain, and improve our Website and Platform.
Send you information about our products, services, and industry developments (with your consent where required by law).
Analyze Website usage and trends to improve user experience.
Protect against fraud, unauthorized access, and other security threats.
Comply with legal obligations and enforce our Terms of Service.

3.2 PHI Processing

We use PHI solely as permitted or required by our BAAs with Covered Entities and applicable law, including:

Treatment: Facilitating prior authorization processing to support healthcare providers' treatment decisions.
Payment: Supporting coverage determination, claims processing, and utilization review.
Healthcare Operations: Quality assessment, case management, and operational improvements on behalf of Covered Entities.
As Required by Law: Disclosures required by federal, state, or local law, including responses to valid court orders and subpoenas.
As Otherwise Permitted by HIPAA and Applicable Law: Including public health activities, health oversight, and judicial proceedings, subject to the minimum necessary standard.

We apply the Minimum Necessary Standard to all uses and disclosures of PHI, limiting access and disclosure to the minimum amount of information necessary to accomplish the intended purpose (45 CFR §164.502(b)).

4. How We Share Your Information

4.1 PHI Disclosures

We disclose PHI only as permitted by our BAAs and applicable law:

To Covered Entities: We return prior authorization results, status updates, and related information to the healthcare providers and health plans we serve.
To Payers and Health Plans: We transmit prior authorization requests and supporting documentation to the relevant health plan or utilization review organization.
To Subcontractors and Business Associates: We may engage subcontractors who require access to PHI to provide services on our behalf. All such subcontractors are bound by subcontractor BAAs that impose obligations no less protective than those in our BAA with the Covered Entity.
As Required by Law: We may disclose PHI when required to do so by federal, state, or local law.

We do not sell PHI. We do not use PHI for marketing purposes without valid authorization.

4.2 Non-PHI Sharing

We may share non-PHI information as follows:

Service Providers: We engage third-party service providers (e.g., hosting, analytics, email, customer relationship management) that process information on our behalf under written agreements requiring them to protect your information.
Legal Compliance and Protection: We may disclose information when we believe in good faith that disclosure is necessary to comply with applicable law, respond to legal process, protect our rights or property, or protect the safety of any person.
Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction, subject to standard confidentiality agreements.
With Your Consent: We may share information for other purposes with your explicit consent.

We do not sell your personal information as defined under the California Consumer Privacy Act ("CCPA") or similar state laws.

5. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information, including:

Encryption: All PHI and sensitive data is encrypted at rest (AES-256) and in transit (TLS 1.2 or higher, with TLS 1.3 preferred).
Access Controls: Role-based access controls with multi-factor authentication, enforced through our identity management platform.
Audit Logging: Comprehensive audit logging of access to PHI and sensitive systems.
Incident Response: A documented incident response program for the detection, investigation, containment, and notification of security incidents.
Vendor Security: All third-party vendors with access to PHI are required to execute BAAs and meet our security requirements.
Compliance Programs: We maintain a security program designed to meet or exceed the requirements of HIPAA, HITECH, SOC 2 Type 2, and HITRUST CSF.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain information in accordance with the following principles:

PHI: Retained for a minimum of six (6) years from the date of last action on the record, or longer as required by applicable state law (up to seven (7) years for records subject to Texas or California law, and ten (10) years for records of minors under California law). PHI retention is governed by our BAAs and applicable law.
Account and Contact Information: Retained for the duration of our business relationship plus seven (7) years, unless you request deletion sooner.
Website Usage Data: Retained for up to three (3) years.
Communications: Retained for seven (7) years from the date of communication.

When information is no longer needed and no legal, regulatory, or contractual obligation requires its retention, we securely dispose of it using methods aligned with NIST SP 800-88 guidelines.

7. Your Privacy Rights

7.1 Rights Under HIPAA (Patients and Health Plan Members)

If your PHI is processed by Artificer Health on behalf of a Covered Entity, you have the following rights under HIPAA. To exercise these rights, please contact the Covered Entity (your healthcare provider or health plan) directly, as we process PHI on their behalf:

Right of Access: You may inspect and obtain a copy of your PHI in our records.
Right to Amend: You may request correction of PHI you believe is inaccurate or incomplete.
Right to an Accounting of Disclosures: You may request a list of certain disclosures we have made of your PHI.
Right to Request Restrictions: You may request restrictions on certain uses and disclosures of your PHI.
Right to Confidential Communications: You may request that we communicate with you by alternative means or at alternative locations.
Right to File a Complaint: You may file a complaint with us or with the U.S. Department of Health and Human Services, Office for Civil Rights, if you believe your privacy rights have been violated.

7.2 Rights Under the California Consumer Privacy Act (CCPA/CPRA)

If you are a California resident, you have the following rights with respect to your personal information (as defined by the CCPA), subject to applicable exceptions:

Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share it.
Right to Delete: You may request that we delete your personal information, subject to certain exceptions (including where retention is required by law or necessary to complete a transaction).
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

Note: PHI that is collected and used in compliance with HIPAA is exempt from the CCPA. This section applies to personal information that falls outside of HIPAA's scope.

To exercise your CCPA rights, contact us at privacy@artificerhealth.com or using the contact information in Section 13.

We will respond to verified requests within forty-five (45) days, with one forty-five (45) day extension if necessary with written notice.

7.3 Rights Under the Washington My Health My Data Act (MHMDA)

If you are a Washington state resident, you have the following rights with respect to your consumer health data (as defined by the MHMDA):

Right to Know: You may request confirmation of whether we are collecting, sharing, or selling your consumer health data, and obtain access to such data.
Right to Withdraw Consent: You may withdraw consent to the collection or sharing of your consumer health data.
Right to Delete: You may request deletion of your consumer health data.

We will respond to verified requests within thirty (30) days, with one fifteen (15) day extension if necessary with written notice.

We do not sell consumer health data as defined under the MHMDA. We do not collect, share, or use consumer health data for purposes beyond those disclosed in this Privacy Policy without your consent.

7.4 Rights Under Other State Laws

Residents of Colorado, Connecticut, Virginia, and other states with comprehensive privacy laws may have additional rights, including rights of access, correction, deletion, data portability, and the right to opt out of certain processing. To exercise your rights under any applicable state privacy law, please contact us using the information in Section 13.

7.5 Authorized Agents

You may designate an authorized agent to make a request on your behalf. We may require the authorized agent to provide proof of written authorization and may require you to verify your identity directly with us.

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

Category	Purpose	Examples
Strictly Necessary	Required for the Website to function. Cannot be disabled.	Session cookies, CSRF tokens, authentication cookies
Functional	Enable personalized features such as language preferences and saved settings.	Preference cookies, display settings
Analytics	Help us understand how visitors interact with our Website.	Google Analytics, HubSpot analytics
Marketing	Used to deliver relevant content and measure campaign effectiveness.	HubSpot tracking, LinkedIn Insight Tag

8.2 Your Cookie Choices

You can manage your cookie preferences through our cookie consent banner when you first visit the Website. You may update your preferences at any time by clicking the "Cookie Settings" link in the Website footer.

You can also control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Website.

8.3 Do Not Track

Some browsers offer a "Do Not Track" ("DNT") signal. There is no industry consensus on how to respond to DNT signals, and our Website does not currently respond to DNT signals. We do, however, honor opt-out requests made through our cookie consent mechanism and through the Global Privacy Control ("GPC") signal as required by applicable law.

9. Children's Privacy

Our Website and Platform are not directed to children under the age of thirteen (13). We do not knowingly collect personal information from children under thirteen (13) through our Website. If we learn that we have collected personal information from a child under thirteen (13) through our Website, we will take steps to delete such information promptly.

Note: In our capacity as a business associate, we may process PHI that relates to minors as part of prior authorization processing on behalf of Covered Entities. Such processing is governed by our BAAs, HIPAA, and applicable state law, not by the Children's Online Privacy Protection Act ("COPPA").

10. International Users

Our Website and Platform are intended for use within the United States. If you are accessing our Website from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

PHI processed by Artificer Health is stored and processed exclusively within the United States.

11. Sensitive Data Categories

Artificer Health recognizes that certain categories of health information are subject to enhanced protections under federal and state law, including:

Reproductive Health Information (protected under state-specific laws including California CMIA and Washington MHMDA)
Mental and Behavioral Health Information (subject to state mental health acts)
HIV/AIDS Information (subject to state-specific HIV confidentiality laws)
Substance Use Disorder Records (protected under 42 CFR Part 2)
Genetic Information (protected under the Genetic Information Nondiscrimination Act)

When we process information in these categories, we apply the Most Protective Standard: where multiple laws govern the same data, we apply the requirement that provides the greatest protection to the individual. We do not disclose sensitive category data except as specifically permitted by applicable law and our BAAs.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

Update the "Last Updated" date at the top of this page.
Post the revised Privacy Policy on our Website.
Provide notice through the Website or by email where required by applicable law.

We encourage you to review this Privacy Policy periodically. Your continued use of the Website or Platform after the posting of changes constitutes your acknowledgment of such changes.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or want to file a complaint, please contact us:

Artificer Health, Inc. Privacy Officer Email: privacy@artificerhealth.com Website: www.artificerhealth.com

To file a complaint with the U.S. Department of Health and Human Services: Office for Civil Rights U.S. Department of Health and Human Services 200 Independence Avenue, S.W. Washington, D.C. 20201 Complaint Portal: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf Toll-Free: 1-800-368-1019

14. State-Specific Disclosures

14.1 California

Under the CCPA/CPRA, we make the following disclosures for the preceding twelve (12) months:

Category of Personal Information	Collected	Source(s)	Business Purpose	Sold or Shared for Cross-Context Behavioral Advertising
Identifiers (name, email, IP address)	Yes	Directly from you; automatically collected	Responding to inquiries; Website analytics; marketing	No
Internet/network activity (browsing history, interactions)	Yes	Automatically collected	Website analytics; improving services	No
Professional/employment information (job title, employer)	Yes	Directly from you	Sales and marketing communications	No
Geolocation data (approximate, from IP address)	Yes	Automatically collected	Website analytics	No

Financial Incentive Programs: We do not offer financial incentives for the collection of personal information.

Shine the Light: California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes.

14.2 Texas

Under Texas Business and Commerce Code §521.053 and Texas Health & Safety Code §181.001 et seq. (HB 300), Texas residents have rights regarding the collection, use, and disclosure of their personal and health information. Texas law defines PHI more broadly than HIPAA to include health information held by any person, not just covered entities. Artificer Health applies HIPAA-equivalent protections to all health information of Texas residents, consistent with our Most Protective Standard.

14.3 New York

Under the New York SHIELD Act, New York residents are entitled to notification of security breaches involving their private information. The SHIELD Act's expanded definition of "private information" includes biometric data and login credentials. Artificer Health maintains data security safeguards consistent with the SHIELD Act's requirements.

This Privacy Policy is provided for informational purposes and does not create any contractual or other legal rights for any party. Artificer Health reserves all rights not expressly granted herein.