Privacy Policy

Klaxar Inc.(“Klaxar,” “we,” “our,” or “us”) is committed to protecting the privacy of individuals who interact with our platform. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you visit klaxar.com or use the Klaxar service (the “Service”).

Special note on Protected Health Information (PHI). When we process PHI on behalf of a covered entity customer, we act as a Business Associate under HIPAA. Use, disclosure, and safeguarding of PHI is governed by the executed Business Associate Agreement between Klaxar and the customer, not by this Privacy Policy.

Information you provide

• Account information: name, email, agency / organization, role, phone
• Authentication data: encrypted password hashes, SSO identifiers, 2FA settings
• Communications: support tickets, contact form submissions, marketing inquiries
• Billing information: address and payment method (handled by our PCI-compliant payment processor)

Information collected automatically

• Device & browser information: IP address, browser type, OS, device identifiers
• Usage data: pages viewed, actions taken, timestamps, performance metrics
• Cookies and similar technologies (see Section 8)
• Audit logs of administrative actions in the Service (for security & compliance)

Information we do NOT collect for marketing

• We do not use PHI for advertising or marketing under any circumstance.
• We do not sell personal information.
• We do not track customers across third-party websites for advertising.

• To provide, maintain, and improve the Service
• To authenticate users and prevent unauthorized access
• To respond to requests, support tickets, and inquiries
• To send transactional and security communications (e.g., billing, breach notifications)
• To send marketing communications (with opt-out available — see Section 6)
• To meet legal, regulatory, and compliance obligations
• To detect and prevent fraud, abuse, and security incidents

We share information only as follows:

• Subprocessors (cloud hosting, email delivery, error monitoring, etc.) — bound by data protection agreements and, for PHI, BAAs.
• Legal compliance — to respond to lawful requests, court orders, or governmental investigations.
• Business transfers — in connection with a merger, acquisition, or sale of assets, with continuity of protection obligations.
• Customer instructions — for PHI, only as directed by the covered entity per the BAA.
• With consent — for any other disclosure not described above.

We maintain a list of subprocessors at klaxar.com/legal/subprocessors (coming soon). The list includes cloud infrastructure (Supabase / AWS), email delivery (Resend), SMS delivery (Twilio), and similar service providers necessary to operate the Service. We update the list when subprocessors change.

Access, correction, and deletion

You can access, correct, or delete personal information through your account settings. For PHI, requests are handled by your covered entity, not directly by Klaxar.

Marketing opt-out

All marketing emails contain an unsubscribe link. You may opt out at any time without affecting transactional communications.

State law rights (CA, CO, VA, etc.)

Residents of certain U.S. states may have additional rights including the right to know, delete, correct, port, and opt out of certain processing. Email privacy@klaxar.com to exercise these rights. We will not discriminate against you for exercising any right.

We implement reasonable administrative, technical, and physical safeguards including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access control with least-privilege defaults
• Multi-factor authentication for administrative access
• Audit logging of access to PHI and other sensitive data
• Regular vulnerability scanning and security review
• Incident response procedures aligned with HIPAA Breach Notification Rule timelines

No system is perfectly secure. We will notify affected customers of a security incident as required by applicable law and the BAA.

We use cookies and similar technologies for:

• Authentication and session management (essential — cannot be disabled)
• Security and fraud prevention
• Analytics to understand usage and improve the Service
• Preferences (language, theme)

You can control cookies via your browser settings. Disabling essential cookies may break authentication and core functionality.

The Service is not directed to individuals under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided personal information, please contact us at privacy@klaxar.com.

The Service is operated from the United States. If you access the Service from outside the U.S., you understand that your information may be transferred to, stored, and processed in the U.S. under applicable U.S. law.

We retain personal information as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Specific retention schedules for PHI are governed by the BAA and applicable law.

We may update this Privacy Policy. We will post the updated version with a new effective date, and material changes will be communicated via email or in-app notice.

For privacy questions or requests:

• Email: privacy@klaxar.com
• Mail: Klaxar Inc., Attn: Privacy, [Mailing address pending counsel input]