Privacy Policy

Constellate, Inc. ("Constellate," "we," "us," or "our") is committed to protecting the privacy of the information we handle. This Privacy Policy describes how we collect, use, and protect information in connection with our patient communication and outcomes platform (the "Platform").

This Policy applies to our customers (healthcare organizations and covered entities), their Authorized Users (clinicians and staff), and, as applicable, the patients who interact with the Platform at the direction of those customers.

This Privacy Policy does not constitute legal advice. If you have questions about HIPAA compliance, we encourage you to consult qualified legal counsel.

1. Scope and Relationship to HIPAA

1.1 PHI is Governed by Our BAA, Not This Policy

The Platform processes Protected Health Information ("PHI") on behalf of our healthcare customers (covered entities). PHI is not governed by this Privacy Policy. Instead, our handling of PHI is governed exclusively by our Business Associate Agreement ("BAA") with each customer, and by HIPAA and its implementing regulations. This Policy applies to non-PHI information we collect and process in operating the Platform and our business.

1.2 Who This Policy Applies To

This Privacy Policy applies to:

• Healthcare organization customers and their Authorized Users who access the Platform.
• Visitors to our website and individuals who contact us for information.
• Non-PHI operational data generated in connection with Platform use.

2. Information We Collect

2.1 Information Customers Provide

When a healthcare organization creates an account or uses the Platform, we collect:

• Organization name, address, and contact information.
• Names, email addresses, and role information of Authorized Users (clinicians and staff).
• Account credentials and authentication information.
• Billing and payment information (if applicable once fees are introduced).
• Communications and support requests submitted to Constellate.

2.2 Information Generated Through Platform Use

In providing the Platform, we automatically collect:

• Usage data: features accessed, actions taken, session duration, and navigation patterns within the Platform.
• Device and technical data: browser type, operating system, IP address, and device identifiers.
• Log data: server logs, error reports, and access timestamps.
• Performance and diagnostic data used to operate, secure, and improve the Platform.

2.3 Information About Patients

Patients interact with the Platform at the direction of their healthcare provider (our customer). Patient information, including survey responses, is PHI and is handled exclusively under our BAA and in accordance with HIPAA. We do not independently collect personal information from patients for our own purposes.

2.4 Information We Do Not Collect

Constellate does not collect:

• Social Security numbers, government identification numbers, or financial account details from Authorized Users.
• Sensitive personal information unrelated to the provision of the Platform.
• Information from minors under the age of 13 through our website (we do not operate a consumer-facing service directed at children).

3. How We Use Information

3.1 To Provide and Operate the Platform

We use the information we collect to:

• Authenticate and authorize Authorized Users.
• Operate, maintain, and improve the Platform's features and performance.
• Process and route patient-reported outcome surveys and communications as directed by our customers.
• Generate dashboards and analytics for clinical and administrative use by our customers.
• Provide customer support and respond to inquiries.

3.2 For Security and Compliance

We use information to:

• Monitor for unauthorized access, security threats, and abuse of the Platform.
• Investigate and respond to suspected or confirmed security incidents.
• Comply with legal obligations, including applicable healthcare regulations and data security requirements.
• Enforce our Terms of Service and other agreements.

3.3 For Business Operations

We use non-PHI information to:

• Understand how customers use the Platform to guide product development and improvements.
• Generate aggregated, de-identified insights about Platform usage (in compliance with HIPAA de-identification standards where applicable).
• Communicate with customers about product updates, changes to these Terms, and operational matters.

3.4 What We Do Not Do

Constellate does not:

• Sell personal information to third parties.
• Use PHI for any purpose not permitted under our BAA or HIPAA.
• Use customer or patient data for advertising or marketing purposes unrelated to the Platform.
• Share personal information with third parties for their independent marketing purposes.

4. How We Share Information

4.1 With Service Providers

We share information with third-party vendors and service providers that support our operations, including cloud hosting providers, analytics tools, email delivery services, and security monitoring services. These providers access information only as needed to perform services on our behalf and are contractually required to maintain appropriate confidentiality and security obligations. Where applicable, vendors that handle PHI are engaged under appropriate BAAs.

4.2 Within Our Organization

Access to customer and user information within Constellate is limited to employees and contractors who need access to perform their job functions, and is subject to appropriate confidentiality obligations.

4.3 For Legal and Safety Purposes

We may disclose information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or a valid governmental request; (b) protect the rights, property, or safety of Constellate, our customers, patients, or the public; or (c) enforce our Terms of Service.

4.4 Business Transfers

If Constellate is involved in a merger, acquisition, financing, or sale of business assets, information we hold may be transferred as part of that transaction. We will notify affected customers of any such change and any choices they may have.

4.5 With Customer Consent

We may share information in other circumstances with the prior written consent of the relevant customer or Authorized User.

5. Data Retention

We retain non-PHI information for as long as necessary to provide the Platform, fulfill the purposes described in this Policy, and comply with our legal obligations.

PHI retention is governed exclusively by our BAA with each customer and by applicable law. Upon termination of a customer relationship, PHI will be returned or destroyed in accordance with the BAA.

Aggregated, de-identified data derived from Platform use may be retained indefinitely as it does not constitute personal information.

6. Security

Constellate implements administrative, physical, and technical safeguards designed to protect the information we handle from unauthorized access, disclosure, alteration, or destruction. These include:

• Encryption of data in transit using TLS and at rest using industry-standard encryption.
• Role-based access controls limiting access to information on a need-to-know basis.
• Monitoring and logging of access to the Platform and underlying systems.
• Regular review of security practices as the Platform scales.

No security system is impenetrable. Constellate cannot guarantee the absolute security of information transmitted to or stored on the Platform. Customers are responsible for maintaining the security of their account credentials and for the security practices of their Authorized Users.

In the event of a security incident involving PHI, Constellate will fulfill its breach notification obligations as set forth in the BAA and under HIPAA.

7. Customer and User Rights

7.1 Access and Correction

Authorized Users may access and update their account information directly within the Platform. Customers may request correction of inaccurate information by contacting us at privacy@constellate.com.

7.2 Data Portability and Deletion

Customers may request a copy of their non-PHI data or request deletion of their account by contacting privacy@constellate.com. Deletion requests will be honored subject to our legal retention obligations and the terms of the BAA. Note that deletion of PHI is governed by the BAA.

7.3 Patient Rights

Patients seeking to exercise rights over their PHI (such as rights of access, amendment, or restriction under HIPAA) should contact their healthcare provider directly. Patients' rights with respect to PHI are governed by HIPAA and are the responsibility of the covered entity customer, not Constellate.

7.4 Opt-Out of Non-Essential Communications

Authorized Users may opt out of non-essential communications (such as product newsletters) by using the unsubscribe mechanism in such communications or contacting privacy@constellate.com. We will continue to send account-related and operational communications that are necessary to provide the Platform.

8. Cookies and Tracking Technologies

The Platform uses cookies and similar technologies to support authentication, session management, and basic platform functionality. We do not use tracking technologies to serve behavioral advertising.

Authorized Users may control cookie settings through their browser; however, disabling certain cookies may affect Platform functionality. We do not currently respond to browser Do Not Track signals, as there is no uniform industry standard for doing so.

9. Third-Party Links and Integrations

The Platform may contain links to third-party websites or support integrations with third-party tools at the direction of our customers. This Privacy Policy does not apply to third-party services. We encourage customers and users to review the privacy practices of any third-party services they use in connection with the Platform.

10. State-Specific Privacy Rights

Depending on your location, you may have additional privacy rights under applicable state law. For example:

• California residents may have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete, and the right to opt out of sale. Constellate does not sell personal information.
• Other states have enacted or are enacting comprehensive privacy laws that may provide similar rights.

To exercise any applicable state privacy rights, please contact privacy@constellate.com. We will respond to verifiable requests within the timeframes required by applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify customers via email or in-platform notification at least thirty (30) days before the changes take effect. The "Effective Date" at the top of this Policy indicates when the current version became effective.

Your continued use of the Platform after the effective date of any updated Policy constitutes your acceptance of the changes. If you do not agree to the updated Policy, you may terminate your use of the Platform in accordance with your agreement with Constellate.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or Constellate's privacy practices, please contact us:

Constellate, Inc.
Privacy inquiries: privacy@constellate.com
Legal / BAA inquiries: legal@constellate.com
Incorporated in the State of Delaware

We take your privacy seriously. Questions? Reach us at privacy@constellate.com