Version v1 · Effective 2026-04-24 · Cheryl AI, Inc.
This Privacy Policy explains how Cheryl AI, Inc. ("Cheryl", "we", "us") collects, uses, and protects information when healthcare providers use the Cheryl AI Chrome Extension and related services ("Service"). A separate Business Associate Agreement (BAA) governs our handling of Protected Health Information; this Policy complements but does not replace the BAA.
Summary
Purpose-limited. Cheryl is used only to draft and manage prior-authorization (PA) letters, appeals, and peer-to-peer prep — not for any other purpose.
No sale of data. We never sell clinical data, de-identified or otherwise.
Minimum necessary. We process only the clinical facts needed to draft a defensible PA letter. No SSN, no payment cards.
HIPAA. We operate under a HIPAA Business Associate Agreement with each customer organization before PHI is processed. OpenAI, our LLM subprocessor, operates under its own HIPAA BAA with us and does not train on data sent via its API.
Who this applies to
This Policy applies to the telehealth platforms and clinics that license Cheryl, and their authorized prior-authorization staff, prescribers, and administrators who use the Cheryl Chrome Extension or interact with our APIs. It does not apply to patients directly; patient privacy is governed by the HIPAA Notice of Privacy Practices issued by each provider organization.
Information we collect
From the provider (account data)
Email address, full name, role (PA rep, prescriber, administrator), and — for the prescriber on a request — National Provider Identifier (NPI), credentials, and state of licensure.
Organization identity: platform/clinic name and address as entered during setup.
Authentication artifacts: Google OAuth tokens (if used), email-and-password credentials (the password is scrypt-hashed; the plaintext is never stored or logged), JWT session identifiers, and a consent record (which Terms/Privacy version you accepted, with timestamp).
From the clinical workflow (clinical content)
Clinical context you paste, type, or forward (the patient's relevant history for the PA request).
Page text only when you explicitly click "Read Page", and text/images from PDFs you upload (extracted on-device where possible; image-only PDFs use AI vision OCR). We never auto-scrape, never read URLs in the background, never extract credentials.
The drug, payer, and scenario for the request; the PA observations Cheryl extracts (e.g., diagnoses, BMI, A1C, prior therapies); ICD-10 codes; drafted letters and revisions; denial letters you capture; and recorded payer outcomes.
Your accept / reject / edit decisions on drafts, and code corrections — used as training signal to improve future drafts.
Error logs and crash reports (with PHI scrubbed per our de-identification pipeline).
IP address, and an approximate region derived from it, for routing and analytics.
How we use it
Drafting prior-authorization letters, appeals, and peer-to-peer prep notes.
Running the deterministic PA pipeline: observation extraction, payer-policy criteria validation, ICD-10 specificity checks, clinical-trial citation lookup, and denial-likelihood prediction.
Learning from your accept/reject/edit decisions, code corrections, and recorded payer outcomes to improve future drafts. Learning is scoped to your organization.
Compliance audit trail: every draft and user decision is logged with timestamps to support audits and appeals.
Service communications (service alerts and onboarding emails) sent via Amazon SES.
Aggregate analytics and peer benchmarking only if your organization opts in under BAA §10 (de-identified per 45 CFR 164.514(b) Safe Harbor).
How we share it
We share data only with:
Subprocessors operating under written data-processing agreements:
OpenAI, L.L.C. — LLM inference for letter drafting, intent classification, observation extraction, and the agent tool-loop. Operates under a HIPAA BAA with Cheryl; data sent via the OpenAI API is not used to train OpenAI models per their BAA.
Amazon Web Services, Inc. — Simple Email Service (SES) for transactional and letter-delivery email; cloud infrastructure. HIPAA-eligible under AWS's BAA.
Loyeco, Inc. — PostgreSQL database hosting (US-East, encrypted at rest).
Service vendors that never receive PHI — Sentry (error monitoring) and PostHog (product analytics) receive only de-identified, whitelisted telemetry; our Slack notifications are PHI-redacted. By design these never process PHI, so they are not BAA subprocessors.
Payer PA destinations you direct — when you send or submit a finished letter, it goes to the payer's prior-authorization portal or a fax-to-email gateway you designate. Cheryl does not transmit PHI to any recipient you have not directed.
Government / legal process — when required by law, subpoena, or to comply with HIPAA Secretary access rights.
We do not share data with advertisers, data brokers, or for marketing purposes.
Request correction of inaccurate account information.
Delete the clinic's account; we destroy all PHI within 60 days per the BAA, retain only legally-required aggregate records.
Revoke data-aggregation opt-in at any time (effective prospectively).
California residents have additional rights under the CCPA. EU/UK residents should note Cheryl does not offer service in the EU/UK at this time; no EU/UK personal data is processed.
Security
TLS 1.2+ for all transport (WebSocket and HTTPS).
AES-256 encryption at rest (AWS RDS default + application-layer for sensitive fields).
JWT-based authentication with device-hash replay protection.
Role-based access control: owner, PA rep, prescriber, staff — each role sees only what it needs (HIPAA minimum necessary).
Audit log of every PHI access event (view, modify, export, route).
Incident response plan with 60-day maximum breach notification per HIPAA Breach Notification Rule.
Retention
Clinical content (PA letters, extracted observations, denial captures, outcomes, audit entries): retained for the life of the account plus 7 years after termination, matching typical HIPAA retention guidance.
Account data (email, name, NPI): retained for the life of the account plus 1 year.
Telemetry and error logs: 90 days rolling.
De-identified aggregate data (if opted in): retained indefinitely.
Children
Cheryl is not directed to children and does not knowingly collect information from children under 13. Pediatric patient information, if entered by a provider, is PHI under HIPAA and governed by the BAA.
Changes to this Policy
We'll email clinics if we materially change this Policy. Non-material updates (typo fixes, clarifications) may be made without notice but will be reflected in the version number. Continued use after notice constitutes acceptance.
v1 published 2026-04-24; revised 2026-06-23 for GLP-1 prior-authorization scope; revised 2026-06-29 to correct the authentication method (email + password) and the data-export channel. Subject to counsel review before general availability.