Privacy Policy

1. Scope & who we are

This Privacy Policy explains how Chart Auditor, LLC ("Chart Auditor," "we," "us," or "our") collects, uses, discloses, and protects information in connection with our website at chartauditor.com (the "Site"), our browser/Chrome extension (the "Extension"), our hosted onboarding and account pages, and related services (collectively, the "Services").

Chart Auditor helps clinicians, therapists, and facility operators in addiction treatment and behavioral health check their clinical documentation against insurer medical-necessity criteria, state regulations, and accreditation standards (such as The Joint Commission and CARF). By using the Services, you agree to this Policy. If you do not agree, please do not use the Services.

2. HIPAA, PHI & our role

Many of our users are HIPAA "covered entities" or their workforce members. When we process protected health information (PHI) on your behalf, we act as a Business Associate, and our handling of PHI is governed by the Business Associate Agreement (BAA) you accept during onboarding. Where this Policy and your BAA conflict with respect to PHI, the BAA controls.

We are built to minimize PHI. When you run a review, the relevant note content is transmitted securely and processed in memory to generate suggestions, then discarded. We do not persist the contents of your notes, the suggestions, or patient-identifying information in our databases. We retain only operational metadata (for example: note type, standards applied, level of care, token counts per processing stage, status, and timestamps). Suggestions are designed to rework the text you wrote and never to fabricate clinical content; you remain responsible for the accuracy of what you ultimately sign in your EMR.

3. Information we collect

a. Account & identity information

When you create an account we collect your name, email address, and authentication credentials. If you sign in with Google or Microsoft single sign-on (SSO), we receive your basic profile and email from that provider (we do not receive your SSO password).

b. Agreement records

To maintain our compliance chain, we record your acceptance of our Terms of Service and BAA, including the typed name, agreement version, timestamp, and IP address at the time of signing.

c. Subscription & billing information

Paid subscriptions are processed by Stripe. We receive subscription status and limited billing metadata (such as plan, status, and the last four digits/brand of a card). We do not receive or store full payment card numbers; those are handled by Stripe.

d. Note content processed during a review (transient)

When you initiate a review, the Extension captures the text and relevant fields of the note you are working on and transmits them to our backend for analysis. This content is processed transiently and is not retained after the review completes, as described in Section 2.

e. Usage & device metadata

We collect operational metadata about how the Services are used — for example, the number and type of reviews, which standards were applied, error/diagnostic events, approximate timestamps, and basic device/browser information needed to operate and secure the Services.

f. Website analytics

On the Site we use cookies and analytics (see Section 10) to understand traffic and improve the page. These analytics apply to the marketing Site only — not to the contents of your notes.

4. The Chrome extension specifically

For transparency, and consistent with Chrome Web Store requirements, here is exactly what the Extension does:

• Permissions we request: activeTab (to read the note on the page you are actively working in, only when you invoke the Extension), storage (to store your authentication token and preferences locally in the browser), and identity/SSO permissions used solely to sign you in.
• What it accesses: when you click the Extension on a note, it reads the form fields of that note so they can be reviewed. It does not run continuously in the background, does not read pages you have not submitted for review, and does not scrape unrelated browsing activity.
• What it transmits: the captured note content and review parameters (such as note type, insurer, level of care, and state) are sent over an encrypted connection to our backend for analysis, and suggestions are returned to you.
• What it stores locally: your session token and settings (such as default state and accreditation toggles) are stored in browser storage on your device. The Extension does not store note content or PHI.

5. How we use information

• To provide the core review function — analyzing a note and returning suggested wording and missing-element flags.
• To create and secure your account, authenticate you, and maintain your agreement and subscription records.
• To meter usage (for example, free-review allowances and plan limits) and process billing through Stripe.
• To operate, maintain, debug, and improve the Services, including aggregate and de-identified analysis that does not contain note content or PHI.
• To communicate with you about your account, security, updates, and support.
• To comply with legal obligations and enforce our Terms.

We do not sell your personal information or PHI, and we do not use the contents of your notes for advertising or to train third-party general-purpose AI models beyond what is necessary to provide the Service to you.

6. How we share information & subprocessors

We share information only with service providers ("subprocessors") that help us deliver the Services, under contractual confidentiality and security obligations and, where PHI is involved, under a BAA:

• Anthropic — provides the AI models that analyze note content to generate suggestions. Anthropic processes content under a BAA and does not use it to train its models for other customers.
• Google Cloud (Cloud Run, hosting & database) — hosts our backend and stores account and metadata records.
• Stripe — payment processing and subscription management.
• Email/notification provider (e.g., SendGrid) — transactional email such as verification and password resets.
• Google and Microsoft — only if you choose SSO, to authenticate you.

We may also disclose information if required by law, to protect the rights, safety, or security of users or the public, or in connection with a merger, acquisition, or sale of assets (in which case we will require the recipient to honor this Policy).

7. Data retention

Note content and suggestions: not retained after a review completes. Account, agreement, subscription, and usage metadata: retained for as long as your account is active and as needed to comply with legal, tax, audit, and compliance obligations, after which it is deleted or de-identified. You may request deletion of your account as described in Section 9.

8. Security

We use industry-standard safeguards including encryption in transit, access controls, least-privilege practices, and a metadata-only data model that minimizes the sensitive data at rest. No method of transmission or storage is 100% secure, but minimizing what we retain is central to how we reduce risk.

9. Your rights & choices

Depending on your location, you may have rights to access, correct, delete, or port your personal information, or to object to or restrict certain processing. To exercise these rights, contact us at the address in Section 13. You can also:

• Update your account details and preferences from within the Services.
• Cancel your subscription at any time from your account; cancellation stops future billing.
• Uninstall the Extension at any time, which stops all page access and clears its local storage.

Because we are a Business Associate, requests that concern PHI may need to be directed to the covered entity (your practice or facility), and we will assist as required by the BAA.

10. Cookies & analytics

Our Site uses cookies and similar technologies, including Google Analytics, to measure traffic and improve content. You can control cookies through your browser settings and opt out of Google Analytics using Google's opt-out tools. The Extension itself does not use advertising cookies.

11. Chrome Web Store limited-use disclosure

Chart Auditor's use of information received from Google APIs, and all data accessed through the Extension, adheres to the Chrome Web Store User Data Policy, including its Limited Use requirements. Specifically:

• We only collect and use the data described in this Policy, for the purpose of providing and improving the review feature you invoke.
• We do not sell this data, and we do not use or transfer it for personalized advertising.
• We do not use it for any purpose unrelated to providing the Services, and we do not allow humans to read note content except where required for security, to comply with law, with your consent, or as permitted under the BAA.

12. Children, international transfers & changes

Children. The Services are intended for use by clinicians and organizations and are not directed to children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal information from children.

International transfers. We operate in the United States and process and store information there. If you access the Services from outside the U.S., you understand your information will be processed in the U.S. under appropriate safeguards.

Changes. We may update this Policy from time to time. We will update the "Last updated" date above and, for material changes, provide additional notice. Your continued use of the Services after an update constitutes acceptance of the revised Policy.

13. Contact us

Questions, requests, or privacy concerns? Contact us at:

Chart Auditor, LLC
Email: privacy@chartauditor.com