Privacy Policy

We work with a few kinds of data:

• Account data. Names, work emails, practice details, and roles for the people who use Upstream.
• Practice operations data. Payer submissions, requirements, and outcomes we process to run the work for your practice.
• Protected health information (PHI). When PHI is required to do the work, it is handled under a Business Associate Agreement. See the section below.
• Usage data. How the product is used, so we can keep it fast and find problems. We do not sell this.

Protected health information stays encrypted at rest and in transit. It is scoped to your practice, never pooled across customers. Every action that touches PHI waits for a human on your team to approve before it executes. Access is logged.

We use PHI only to perform the services you ask for. We do not use it to train shared models, and we never include it in benchmarks or any data we share with others.

We use your data to provide and improve the service, to communicate with you, and to meet our legal and contractual duties. We do not sell personal data. We do not share PHI except as your agreements and the law allow.

Our website uses a small number of cookies and a privacy-conscious product analytics tool to keep the site working and to understand which pages help people. This tells us things like which page a visit started on and which links get used. It does not include protected health information, and we do not use it to build advertising profiles or sell your data.

You can block or clear cookies in your browser at any time, and the site still works without them. We also honor the browser Do Not Track signal: when it is on, our analytics do not run for you.

We rely on a small set of vetted vendors for hosting, infrastructure, and communication. Each is bound by terms that protect your data, and PHI vendors operate under a Business Associate Agreement. We will give notice before we add a material subprocessor.

For the current list, write to privacy@upstream.cx.

You can ask to access, correct, or delete the personal data we hold about you, subject to the contracts and laws that apply to your practice. Reach us using the contact below and we will respond.

We keep data for as long as your account is active and as long as we need it to meet legal, accounting, or reporting requirements. When data is no longer needed, we delete or anonymize it.

We update this policy as the product and the law change. When we make a material change, we update the date at the top and, where appropriate, tell you directly. Continued use of the service after a change means you accept the updated policy.

Questions about this policy, or about your data, go to privacy@upstream.cx. For security reports, see our security contact.