Privacy Policy

This Policy applies to information that we collect through the Service. It does not apply to information collected by third-party websites, applications, or services that may be linked to or integrated with the Service. Where the Service is used by an organization (for example, an ABA agency), that organization is the controller of any information submitted by its personnel through the Service, and we process such information as a service provider on its behalf.

2.1 Information You Provide: Your email address (used to verify and authenticate your Account; we do not use passwords), the parameters of any search you run (ZIP code, radius, specialty selections), customer data you generate within the Service (saved searches, pipeline state, notes, outreach templates), billing information collected by our payments processor for paid plans, and the contents of any messages you send to us through support, contact forms, or feedback widgets.

2.2 Information Collected Automatically: A SHA-256 hash of your IP address combined with a daily-rotated salt and a server-side secret, used for rough abuse prevention; we do not store the raw IP address. We also collect your browser’s self-reported user-agent string solely for debugging and compatibility, and we set a single HTTP-only authentication cookie to keep you signed in.

2.3 Information from Third Parties: To deliver search results, we use professional provider information from business data providers and healthcare directories. This “Provider Data” describes healthcare providers in their professional capacity and is not personal information about you.

2.4 What We Do Not Collect: We do not collect patient or clinical data, advertising identifiers, third-party tracking pixels, or biometric information. The Service does not include third-party analytics or marketing trackers.

We use the information described in Section 2 to:

• operate, maintain, and improve the Service;
• authenticate your Account and prevent unauthorized access;
• fulfill your search requests and deliver search results;
• process payments and administer paid subscriptions through our payments processor;
• send transactional communications, including verification codes, alerts, and notices about changes to the Service;
• detect, investigate, and prevent fraud, abuse, security incidents, and other unlawful activity;
• comply with legal obligations and respond to lawful requests; and
• enforce our Terms of Service.

We do not sell, rent, or trade personal information. We do not use personal information for behavioral advertising or profiling.

For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the General Data Protection Regulation (GDPR) and equivalent laws:

4.1 Performance of a Contract: to provide the Service you request.

4.2 Legitimate Interests: to maintain Service integrity, prevent abuse, and improve our product, balanced against your privacy interests.

4.3 Compliance with Legal Obligations: including tax, accounting, and lawful-request handling.

4.4 Consent: where required, for example for non-essential communications. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

5.1 Service Providers: We share information with vendors who process it on our behalf to deliver the Service, including providers of hosting infrastructure, payment processing, transactional email delivery, AI inference (where you have opted into AI-assisted features), and email validation. Each vendor is bound by contractual obligations of confidentiality and data protection and may use the information only as necessary to perform its services for us.

5.2 Legal and Compliance: We may disclose information when we reasonably believe disclosure is required to comply with law, valid legal process, or to protect the rights, property, or safety of Quemra, our users, or the public.

5.3 Business Transfers: If we are involved in a merger, acquisition, financing, or sale of all or part of our assets, information may be transferred subject to standard confidentiality protections and will remain subject to a privacy policy at least as protective as this one.

5.4 With Your Direction: If you connect a third-party integration (for example, a CRM webhook or a connected email account for sending), we share data with that integration only as you direct.

We retain personal information only for as long as necessary to provide the Service and for legitimate business or legal purposes. Specifically:

• Account data: kept for the life of your Account and up to ninety (90) days after termination, after which it is deleted from production systems;
• Search snapshots and CSV exports: kept for twenty-four (24) hours from generation;
• Hashed IP records: kept up to thirty (30) days and used solely for abuse prevention;
• Billing records: kept for the period required by applicable tax and accounting law;
• Backup copies: expired on a rolling basis as part of our standard backup rotation.

We maintain administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (TLS 1.2 or higher), least-privilege access controls, audit logging, and regular security review of third-party vendors. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

8.1 Access, Correction, and Deletion: You may request access to, correction of, or deletion of personal information associated with your Account by contacting us at the address in Section 14. We will respond within thirty (30) days, subject to verification of your identity.

8.2 Portability: You may export your data, including saved searches, pipeline state, and CSV outputs, from within the Service.

8.3 Objection and Restriction: If you are in the EEA, the United Kingdom, or Switzerland, you have the right to object to or request restriction of certain processing activities based on our legitimate interests.

8.4 California Residents (CCPA / CPRA): California residents may request to know what categories of personal information we have collected, request deletion of such information, and request that we not “sell” or “share” their information for cross-context behavioral advertising. We do not sell or share personal information for these purposes.

8.5 Complaint: You have the right to lodge a complaint with a competent data-protection authority. We encourage you to contact us first so that we can attempt to resolve your concerns directly.

Our infrastructure is located primarily in the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States, which may have data protection laws different from your country. Where required by law, we rely on appropriate safeguards (such as Standard Contractual Clauses) for international transfers.

We use a single, strictly-necessary HTTP-only cookie to maintain your authenticated session. We do not use advertising cookies, analytics cookies, social-media cookies, or any third-party tracking technologies. Because our cookie is strictly necessary for the Service to function, no consent banner is presented; the Service will not work without it.

The Service is intended for use by adults in a business context. We do not knowingly collect personal information from individuals under the age of eighteen (18). If you believe we have collected such information, please contact us at the address in Section 14 and we will delete it promptly.

The Service may contain links to third-party websites, products, or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third party before providing them with personal information.

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last updated” date above and notify Account holders by email or through an in-Service notice at least seven (7) days before the change takes effect.

For questions about this Policy or to exercise any of the rights described in Section 8, please contact: