Privacy Policy

1. Introduction

This Privacy Policy describes how Assurium collects, uses, discloses, and safeguards information in connection with the assurium.co website (the "Site") and the Assurium desktop application (the "Application"), together referred to as the "Services."

Assurium is designed with a local-first architecture: clinical documents, extracted text, and audit outputs are stored on your device by default. Certain features involve transmission of data to third-party services as described below.

This Privacy Policy is not legal advice. It describes our data practices and does not replace your organization's independent obligations under HIPAA, state privacy laws, payer contracts, or other applicable regulations.

2. Overview of Our Data Practices

We do not sell your personal information. We do not serve behavioral advertising.

3. Information Stored Locally on Your Device

The Application stores the following data locally:

• Clinical Content: Documents you import, extracted text, and structured audit results
• Audit History: Timestamps, acknowledgments, and resolution records
• Configuration Data: Your preferences, custom rules, and Application settings
• Security Artifacts: Local authentication data (e.g., PIN hashes)

This data resides in local storage (SQLite database and configuration files) on your device. Assurium does not automatically transmit Clinical Content to Assurium servers.

4. Licensing Information

To validate your subscription and prevent unauthorized use, the Application transmits limited information to our licensing provider:

• License key or activation token
• A device fingerprint (a cryptographic identifier derived from hardware characteristics)
• Application version and platform metadata

We do not transmit Clinical Content for licensing purposes.

Our licensing provider is Keygen (https://keygen.sh). Keygen's privacy practices are governed by their privacy policy.

5. AI Processing Information (Cloud AI / BYOK)

The Application requires AI processing to perform audits. You configure AI processing by providing your own API key for a supported provider (currently Groq). When you run an audit:

• The Application sends clinical text to your configured AI provider using your API credentials
• The AI provider returns structured audit findings, which the Application stores locally

Important considerations:

• De-identification is available but optional. You may enable de-identification to reduce the risk of transmitting identifiable information.
• De-identification is not guaranteed to remove all identifiers. It is a best-effort risk-reduction measure.
• Assurium does not receive or store the clinical text you send to your AI provider. The transmission occurs directly between the Application and your provider's API endpoint.
• Your AI provider's data practices (including retention, model training, and security) are governed by your agreement with that provider.

6. Product Analytics (Telemetry)

The Application collects product analytics to help us understand usage patterns, diagnose issues, and improve the Services. Analytics collection is enabled by default and may be disabled in Application settings.

When enabled, we may collect:

• Usage metrics: Feature usage counts, workflow patterns
• Performance data: Processing times, error codes, application responsiveness
• Environment information: Application version, operating system type, platform architecture
• Anonymous identifiers: A randomly generated installation identifier (UUID)

We do not collect through analytics:

• Clinical Content or document text
• Patient names, identifiers, or PHI
• Evidence spans, quotes, or audit findings content
• File names or file paths
• Provider or clinician names
• Your AI provider API keys

7. Site Information

When you visit the Site, we automatically collect:

• IP address, approximate geographic location
• Browser type, operating system, device type
• Pages visited, referring URL, time and date of access, download selections

We may use cookies or similar technologies for essential Site functionality, remembering preferences, and analyzing aggregate traffic.

8. How We Use Information

We use the information we collect to:

• Provide and operate the Services
• Validate licenses and prevent fraud
• Improve reliability, performance, and user experience (telemetry if enabled)
• Provide support and respond to inquiries
• Maintain security and investigate incidents
• Comply with legal obligations

We do not use Clinical Content to train machine learning models.

9. How We Share Information

We engage third-party service providers to support our operations:

• Licensing Provider (Keygen): Subscription validation, fraud prevention
• Payment Processor (Stripe): Payment processing
• Hosting / CDN: Site delivery, installer distribution
• Analytics Infrastructure: Product analytics storage (if enabled)

When you configure cloud AI processing, clinical text is transmitted directly from the Application to your chosen AI provider using your API credentials. Assurium does not act as an intermediary for this transmission.

We may also disclose information to comply with law, protect rights and safety, or in connection with business transfers.

10. Data Retention

• Local Data: Retained until you delete it through the Application or uninstall
• Analytics Data: Typically not exceeding 24 months
• Site Logs: Typically not exceeding 12 months
• Licensing Records: Duration of subscription plus reasonable period thereafter

11. Data Security

We implement technical and organizational measures designed to protect information, including:

• Encryption in transit (TLS) for communications with external services
• Secure credential storage leveraging OS mechanisms where available
• Local-first architecture to reduce centralized exposure
• Analytics sanitization to prevent inadvertent collection of sensitive data

No system is completely secure. You are responsible for maintaining the security of devices running the Application.

12. Your Choices and Controls

• Analytics Opt-Out: Disable product analytics in Application Settings
• De-identification: Enable de-identification for clinical text before AI provider transmission
• Local Data Deletion: Delete documents, audits, and records from within the Application

13. Healthcare Compliance Notice

Assurium provides software to assist with clinical documentation review. Assurium does not provide medical advice, legal advice, coding services, or reimbursement guarantees.

Your organization is responsible for:

• Determining whether Clinical Content contains PHI
• Ensuring appropriate authorization for any external processing
• Configuring workflows in compliance with applicable laws and payer requirements
• Evaluating whether agreements (including BAAs) are required with your AI provider

14. Governing Law

This Privacy Policy is governed by the laws of the State of Florida, without regard to conflict of law principles.

15. Your Privacy Rights

Depending on your jurisdiction, you may have rights including access, correction, deletion, portability, and opt-out.

Because most Clinical Content is stored locally on your device, many requests are best fulfilled by managing data directly within the Application. To submit a request regarding information in our systems, contact privacy@assurium.co.

16. Children's Privacy

The Services are not directed to children under 13, and we do not knowingly collect personal information from children.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will update the "Effective Date" and provide notice through the Site or Application for material changes.

18. Contact Us

K. M. Fisher Systems LLC
DBA Assurium
7157 Narcoossee Road, #1104
Orlando, FL 32822, United States
privacy@assurium.co