1. Introduction

Welcome to Coral Automation Inc. dba Mandolin ("we," "us," "our"). We are committed to protecting the privacy and security of the personal information we collect, use, share, and otherwise process. This Privacy Policy describes our practices in connection with information that we collect through our healthcare software-as-a-service platform, including any artificial intelligence (AI) features incorporated therein (collectively, the "Service").  

This Policy explains what information we collect, how we use and share that information, and your rights regarding your information, particularly in compliance with healthcare-specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA) where applicable.

By using our Service, you agree to the collection, use, disclosure, and procedures this Privacy Policy describes. Beyond this Privacy Policy, your use of our Service is also subject to our Terms of Service and any applicable Business Associate Agreement (BAA) if you are a Covered Entity or Business Associate under HIPAA.

‍

2. Scope and Applicability

• For our Customers (e.g., Healthcare Providers, Hospitals - "Covered Entities" or "Business Associates"): When we provide our Service to healthcare organizations, we often act as a "Business Associate" under HIPAA. In such cases, our collection, use, and disclosure of Protected Health Information (PHI) are governed by the terms of the Business Associate Agreement (BAA) executed with the Covered Entity, this Privacy Policy, and applicable law. The Covered Entity is responsible for ensuring they have the necessary patient consents and authorizations.
• For Individual Users (e.g., Patients accessing data through a portal provided by a Customer, or direct users if applicable): This policy outlines how your information is handled when you interact with our Service.
• For Website Visitors: This policy also applies to information collected when you visit our marketing website.

3. Information We Collect

We may collect the following categories of information:

• a. Information Provided by Our Customers (Healthcare Organizations):
  • Protected Health Information (PHI): This may include patient names, dates of birth, medical record numbers, diagnoses, treatment information, medications, lab results, images, insurance information, and other health-related information, as defined by HIPAA. This data is provided by our Customers for processing within our Service.
  • Customer Employee/User Information: Names, email addresses, phone numbers, professional titles, and login credentials for individuals authorized by our Customers to use the Service.
• b. Information You (Individual Users) Provide Directly to Us:
  • Account Information: If you create an account directly with us, we may collect your name, email address, password, and other information needed to set up and manage your account.
  • Communication Information: Information you provide when you contact us with questions, feedback, or otherwise communicate with us.
• c. Information Collected Automatically:
  • Usage Data: We collect information about how you and your authorized users interact with our Service. This may include IP addresses, browser types, device identifiers, operating systems, access times, pages viewed, features used, and referring URLs.
  • Cookies and Similar Technologies: We use cookies, web beacons, and similar technologies to collect information about your interaction with our Service, enhance user experience, and for analytics. You can control the use of cookies at the individual browser level.  
• d. Information Processed or Generated by AI Features:
  • Input Data: PHI or other data submitted by Customers or users for processing by our AI algorithms (e.g., medical images for analysis, patient data for predictive modeling).
  • AI-Generated Data/Insights: Outputs, predictions, classifications, or insights generated by our AI models based on the input data. These outputs may constitute PHI if they relate to an identifiable individual.
  • De-identified or Aggregated Data for AI Model Training and Improvement: We may use de-identified or aggregated data (from which personal identifiers have been removed in accordance with HIPAA or other applicable standards) to train, validate, and improve our AI algorithms and the overall Service. We will describe this process in more detail in our BAAs and/or service agreements.

4. How We Use Your Information

We use the information we collect for the following purposes:

• a. To Provide and Maintain the Service:
  • Deliver the functionalities of our healthcare SaaS platform.  
  • Process and store PHI on behalf of our Customers as permitted by our BAAs.
  • Enable AI features to analyze data and provide insights as requested by Customers.
  • Create and manage user accounts.
  • Provide customer support and respond to inquiries.
• b. To Improve and Develop Our Service:
  • Analyze usage patterns to understand how our Service is used and identify areas for improvement.
  • Develop new features, functionalities, and products.
  • For AI Model Training and Enhancement: Use de-identified and/or aggregated data to train, validate, and improve the accuracy, efficacy, and safety of our AI algorithms. We implement strict data governance and de-identification processes in accordance with applicable laws like the HIPAA de-identification standards.
• c. To Communicate With You:
  • Send administrative information, such as updates to our terms, conditions, and policies.
  • Provide service-related announcements (e.g., maintenance notifications).
  • Respond to your comments and questions.
  • With your consent, send marketing communications about our products and services.
• d. For Security and Compliance:
  • Protect the security and integrity of our Service, data, and systems.
  • Prevent fraud, identify and address bugs or errors.
  • Comply with legal obligations, including those under HIPAA and other applicable laws.
  • Enforce our Terms of Service and BAAs.
• e. Aggregated and De-identified Information:
  • We may aggregate and/or de-identify information collected through the Service so that it can no longer be linked to you or your device. We may use such information for any purpose, including for research, analytics, and to improve our Service.

5. How We Share Your Information

We do not sell your PHI. We may share your information in the following circumstances:

• a. With Our Customers (Healthcare Organizations): We share PHI and AI-generated insights with the Customer (Covered Entity) that provided the data, as directed by them and in accordance with our BAA.
• b. Service Providers (Subcontractors/Business Associates): We may share information with third-party vendors, consultants, and other service providers who perform services on our behalf (e.g., cloud hosting, data analytics, customer support, security services). These third parties are contractually obligated to protect the information and use it only for the purposes for which it was disclosed, and if they handle PHI, they must sign a BAA with us.  

• c. For AI Model Development (with safeguards): If we engage third-party AI developers or use third-party platforms for model development, we will only share data that has been appropriately de-identified according to HIPAA standards or other applicable laws, or as explicitly permitted under our BAAs and with appropriate contractual safeguards.
• d. Legal Obligations and Rights: We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to:
  • Comply with a legal obligation (e.g., subpoena, court order).  
  • Protect and defend our rights or property.
  • Prevent or investigate possible wrongdoing in connection with the Service.
  • Protect the personal safety of users of the Service or the public.  
  • Protect against legal liability.
• e. Business Transfers: In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.  

• f. With Your Consent: We may share your information with third parties when we have your explicit consent to do so (or the consent of the relevant Customer/Covered Entity in the case of PHI).  

6. Data Security

We implement a range of administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of the information we process, including PHI. These measures include:  

• Encryption of data at rest and in transit.
• Access controls and authentication mechanisms.
• Regular security assessments and vulnerability management.  

• Employee training on privacy and security obligations.
• Incident response plans.

While we strive to protect your information, no security system is impenetrable. We cannot guarantee the absolute security of your information. In the event of a data breach involving PHI, we will comply with the notification requirements under HIPAA and our BAAs.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, and as required by our contractual obligations with our Customers (including BAAs). PHI is retained in accordance with the terms of the applicable BAA and the Customer's instructions.  

When we no longer need personal information, we will securely delete or anonymize it.

‍

8. Your Rights and Choices

Depending on your location and the nature of your interaction with our Service, you may have certain rights regarding your personal information:

• a. For PHI managed by our Customers (Covered Entities): If your PHI is processed by us on behalf of one of our Customers, you should direct any requests to access, amend, or restrict the processing of your PHI to that Customer. We will assist our Customers in responding to such requests as required by our BAAs.
• b. Access and Correction: You may have the right to access and correct your personal information that we hold.
• c. Opt-Out of Marketing Communications: You can opt out of receiving promotional emails from us by following the unsubscribe instructions in those emails.  

• d. Cookies: Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject browser cookies.
• e. "Do Not Track": Some web browsers incorporate a "Do Not Track" feature. Our Service may not currently respond to "Do Not Track" signals.
• f. Specific Jurisdictional Rights (e.g., GDPR, CCPA): If you are in a jurisdiction with specific privacy rights (e.g., right to erasure, right to data portability, right to object to processing under GDPR; right to know, delete, opt-out of sale under CCPA), please contact us to exercise these rights. We will respond to your request in accordance with applicable law.

9. AI and Automated Decision-Making

Our AI features are designed to assist healthcare professionals and are not intended to replace professional medical judgment.

• Transparency: We strive to be transparent about how our AI models are trained and how they make decisions or generate insights, within the bounds of proprietary information and intellectual property.
• Human Oversight: Where AI is used for critical healthcare decisions, we encourage and often require human oversight by qualified healthcare professionals.
• Bias and Fairness: We are committed to developing and deploying AI responsibly and take steps to mitigate bias in our AI models and data. This is an ongoing process of evaluation and improvement.

10. Children's Privacy

Our Service is not intended for direct use by individuals under the age of 13 (or a higher age threshold if applicable in certain jurisdictions) without parental consent or unless provided by a healthcare provider in the context of care. We do not knowingly collect personal information from children under 13 without such consent or lawful basis. If we learn that we have collected personal information from a child under 13 without appropriate authorization, we will take steps to delete that information. If PHI of a minor is provided by a Customer (healthcare provider), it is handled in accordance with HIPAA and the BAA.

‍

11. International Data Transfers

If you are accessing our Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located and our central database is operated. Data protection laws in the U.S. may be different from those in your country. We will take appropriate safeguards to protect your information in accordance with this Privacy Policy and applicable law when it is transferred.  

‍

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the new Privacy Policy on our website, by sending you an email, or through other communication channels, and we will update the "Last Updated" date at the top of this Policy. We encourage you to review this Privacy Policy periodically.  

‍

13. Contact Us

If you have any questions, comments, or concerns about this Privacy Policy or our data practices, or if you wish to exercise your privacy rights, please contact us at:  

‍

Coral Automation Inc. dba Mandolin

2261 Market St STE 86638

San Francisco, California

Email: info@mandolin.com

‍

If you are a patient of one of our Customers and have questions about your PHI, please contact your healthcare provider directly.

‍

‍