← Back to Simera

Privacy Policy

Last updated: June 1, 2026 · Effective: June 1, 2026

Simera Health, Inc. ("Simera," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Service. This policy applies to all users of the Simera web application.

If your use of the Service involves Protected Health Information (PHI), that data is governed by our HIPAA Business Associate Agreement (BAA), which takes precedence over this Privacy Policy for PHI.

1. Information We Collect

Account information: Name, email address, organization name, and authentication credentials (managed by Clerk).

Uploaded data: 835 ERA files and other billing data you upload to the Service. This data may contain PHI. We process this data solely to provide the Service.

Usage data: Pages visited, features used, queries submitted to the AI assistant, timestamps, and error logs. This is used to improve the Service.

Technical data: IP address, browser type, device type, and operating system. Collected automatically when you access the Service.

2. How We Use Your Information

  • To provide, operate, and improve the Service
  • To analyze your 835 data and generate revenue cycle insights
  • To respond to your support requests
  • To send transactional emails (audit complete, deadline reminders)
  • To detect and prevent fraud, abuse, and security incidents
  • To comply with legal obligations
  • To generate aggregated, de-identified benchmarks (never linked to you)

We do not sell your personal information or PHI to third parties. We do not use your PHI to train AI models without explicit consent.

3. How We Share Your Information

Service providers: We share data with vendors who help us operate the Service, all under data processing agreements:

  • Amazon Web Services (AWS) — infrastructure, storage, logging
  • Anthropic — AI analysis (under BAA for PHI)
  • Supabase — database
  • Vercel — frontend hosting
  • Clerk — authentication

Legal requirements: We may disclose information if required by law, court order, or to protect the rights and safety of Simera and its users.

Business transfers: In the event of a merger or acquisition, your data may be transferred to the successor entity under the same privacy protections.

4. HIPAA and Protected Health Information

Simera is designed for use with 835 ERA files that may contain PHI. When you execute a BAA with us, we become your Business Associate under HIPAA and are obligated to:

  • Use PHI only as permitted by the BAA and HIPAA
  • Implement appropriate administrative, physical, and technical safeguards
  • Report breaches of unsecured PHI within 60 days of discovery
  • Return or destroy PHI upon termination of the BAA

Contact compliance@simera.health to execute a BAA before uploading PHI.

5. Data Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 via AWS KMS)
  • Access controls and authentication (Clerk with MFA support)
  • Network isolation (private VPC subnets, no public API IPs)
  • Audit logging of all data access events (CloudTrail + CloudWatch)
  • Regular security reviews and dependency scanning

No system is perfectly secure. If you believe your account has been compromised, contact security@simera.health immediately.

6. Data Retention

We retain your account data for as long as your account is active. Uploaded 835 files and audit results are retained for 7 years to meet HIPAA minimum retention requirements, unless you request deletion sooner.

Upon account termination, you may request export of your data within 30 days. After 30 days post-termination, data is deleted from active systems and purged from backups within 90 days, except where retention is required by law.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate personal information
  • Request deletion of your personal information
  • Export your data in a portable format
  • Opt out of non-essential communications

To exercise these rights, contact privacy@simera.health. We will respond within 30 days.

8. Cookies and Tracking

We use essential cookies for authentication and session management (provided by Clerk). We do not use third-party advertising cookies or behavioral tracking cookies. We may use analytics to understand aggregate usage patterns.

9. Children's Privacy

The Service is not directed to individuals under 18. We do not knowingly collect information from minors. If we become aware that a minor has provided us information, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact Us

Simera Health, Inc.
Privacy inquiries: privacy@simera.health
Security incidents: security@simera.health
HIPAA/compliance: compliance@simera.health