Privacy Policy

Natzar ("Company," "we," "our," or "us") provides AI-powered primary care services purpose-built for Medicaid populations, delivered in partnership with Independent Physician Associations (IPAs), Federally Qualified Health Centers (FQHCs), and other licensed healthcare organizations.

This Privacy Policy explains how we collect, use, disclose, and protect information — including Protected Health Information (PHI) — when you visit our website https://natzar.ai, request a demo, or otherwise interact with our Services.

By using our website or Services, you agree to the practices described in this Privacy Policy.

1. Who This Policy Applies To

This Privacy Policy covers two categories of individuals:

• Prospective partners and website visitors — including representatives of IPAs, FQHCs, health plans, and other organizations who visit our website, request information, or engage with us about a potential partnership.

• Patients — individuals who receive care through Natzar's AI doctor service via one of our licensed partner organizations.

The information we collect, and how we handle it, differs significantly between these two categories, as described below.

2. Information We Collect

2.1 From Prospective Partners and Website Visitors

When you visit our website or engage with us about a partnership, we may collect:

• Professional contact details: name, work email, phone number, title, and organization.

• Organizational information: name and type of your organization (IPA, FQHC, health plan, etc.), patient population characteristics you choose to share, and the topics you wish to discuss.

• Communications: the content of demo requests, emails, meeting notes, and other correspondence with our team.

2.2 From Patients

When a partner organization deploys Natzar to serve its patient population, we collect, on behalf of and under the direction of that partner:

• Personal identifiers: name, date of birth, contact details, and insurance/member ID.

• Health information: patient responses to clinical questions, medical history, symptoms, lifestyle information, and other data necessary to deliver care and clinical recommendations.

• Clinical encounter records: transcripts of AI-mediated interactions, clinician notes, prescriptions, referrals, and lab orders.

2.3 Automatically Collected Information

When anyone interacts with our website or platform, we may automatically collect:

• Device information (browser type, operating system).

• IP address and approximate geolocation (where permitted by law).

• Usage logs (pages visited, features used, time of access).

3. How We Use Your Information

3.1 Partner and Website Visitor Information

We use information collected from prospective partners and website visitors to:

• Respond to demo requests and partnership inquiries.

• Send relevant updates about Natzar's services, pilot results, and clinical evidence.

• Maintain and improve our website and partner-facing materials.

• Conduct internal business operations, including analytics, security, and recordkeeping.

3.2 Patient Information

We use patient information solely on behalf of, and under the direction of, the partner healthcare organization that delivers care to that patient, including to:

• Generate clinical guidance reviewed by licensed physicians on our clinical team.

• Coordinate referrals, prescriptions, lab orders, and follow-up care within the partner's network.

• Support quality measure reporting (including HEDIS) and care-gap closure on behalf of the partner.

• Communicate with the patient about their care, results, and follow-ups.

• Comply with applicable laws and regulations, including HIPAA.

4. How We Share Your Information

We share information only as described in this Privacy Policy and as permitted by HIPAA and other applicable laws.

• With licensed physicians and authorized healthcare providers, including our clinical team and the partner organization's providers, to review patient care and coordinate referrals.

• With third-party service providers, including cloud hosting, communications, and analytics providers, who are bound by appropriate confidentiality and, where applicable, Business Associate Agreements (BAAs).

• With partner healthcare organizations, as the covered entity directing the care of the relevant patient, in accordance with our BAA with that partner.

• For legal and compliance reasons, including to comply with subpoenas, court orders, or other valid legal processes.

• In connection with corporate transactions such as a merger, acquisition, or sale of assets, where any PHI transferred would remain protected under HIPAA.

We do not sell PHI or partner contact information to third parties.

5. HIPAA Compliance and Business Associate Agreements

Natzar operates as a Business Associate under HIPAA when delivering services to patients on behalf of a covered entity partner (such as an IPA, FQHC, or health plan).

Before any patient data flows to Natzar, we enter into a Business Associate Agreement (BAA) with the partner organization that governs:

• Permitted uses and disclosures of PHI.

• Safeguards we must maintain.

• Breach notification obligations.

• Subcontractor BAAs with our downstream service providers.

• Return or destruction of PHI upon termination.

Natzar complies with the HIPAA Privacy, Security, and Breach Notification Rules. If a breach of unsecured PHI occurs, we will notify the affected partner organization without unreasonable delay, as required by the HIPAA Breach Notification Rule, so the covered entity can fulfill its notification obligations to affected individuals.

6. Security Measures

We implement administrative, technical, and physical safeguards designed to protect both partner information and PHI, including:

• Workforce training and strict access policies based on least-privilege principles.

• Data encryption in transit and at rest.

• Multi-factor authentication, continuous monitoring, and audit logging.

• Role-based access controls and regular access reviews.

• Restricted physical access to infrastructure and supporting environments.

• Subprocessor due diligence and contractual safeguards.

While no system is 100% secure, we continuously update and improve our safeguards to meet HIPAA requirements and healthcare industry best practices.

7. Your Rights

7.1 Patient Rights

Under HIPAA and applicable laws, patients have the right to:

• Access their health information.

• Request corrections to their health information.

• Receive an accounting of disclosures of their PHI.

• Request restrictions on how their PHI is used or shared.

• Request confidential communications.

• File a complaint if they believe their privacy rights have been violated.

In most cases, patients should direct these requests to their healthcare provider (the covered entity partner). We will assist the covered entity in responding to these requests as required under our BAA. Patients may also contact us directly at privacy@natzar.ai.

7.2 Partner and Website Visitor Rights

If you are a prospective partner or website visitor and wish to access, correct, or delete the personal information we hold about you, or unsubscribe from our communications, please contact us at privacy@natzar.ai.

8. Communications by Email and Text Message

8.1 Purpose of Communications

By providing your email address or phone number, you consent to receive communications from Natzar. These may include:

• For prospective partners: demo confirmations, follow-up correspondence, partnership updates, and relevant materials about our services.

• For patients (via partner deployments): clinical communications, appointment reminders, follow-up notifications, referrals, and account-related alerts.

8.2 Compliance With Applicable Laws

Natzar safeguards any PHI transmitted by email or text in accordance with HIPAA requirements. We also comply with the CAN-SPAM Act for email and the Telephone Consumer Protection Act (TCPA) for text messaging.

8.3 Opting Out

You may opt out of receiving marketing or promotional communications at any time by following the unsubscribe instructions in the message or by contacting us directly. You may not opt out of essential communications that are necessary for the delivery of Services, such as patient clinical communications, security notices, or legally required notifications.

8.4 Message and Data Rates

Standard message and data rates from your mobile carrier may apply when receiving SMS communications. Natzar is not responsible for these charges.

9. U.S. Only

Natzar's Services are intended solely for organizations and individuals located within the United States and are governed by U.S. federal and state laws, including HIPAA. We do not market, offer, or provide Services to individuals or organizations outside the United States. If you access our Services from outside the U.S., you do so at your own initiative and are responsible for compliance with local laws.

10. Children's Privacy

Our website is not directed to children under 18. Pediatric patients may receive care through Natzar only when their parent or legal guardian provides consent through the partner healthcare organization in accordance with applicable laws.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective Date" above and provide notice as required by law or by our agreements with partner organizations. Continued use of our Services after updates indicates acceptance of the revised policy.

12. Contact Us

For questions or concerns about this Privacy Policy, our privacy practices, or HIPAA rights, please contact:

Natzar Email: privacy@natzar.ai