Clinicus — Privacy Policy 
Effective Date: [February 1, 2026] 
Publisher: Sciometrix, Inc. • Royal Oak, Michigan, USA 
Contact: privacy@sciometrix.com 

1. Who we are and what this policy covers 
Clinicus is a clinical management platform for licensed healthcare providers, offered as a web and mobile app (the “Platform”). It lets authorized providers view patient records, document encounters, manage care plans, and coordinate care. Clinicus is provider‑only; patients do not log in to Clinicus. 

This policy explains how Sciometrix, Inc. (“Sciometrix,” “we,” “our”) handles information when providers and their staff use Clinicus. 

At a glance 
• We operate as a Business Associate under HIPAA with each Covered Entity (provider organization) we serve, under a Business Associate Agreement (BAA). 
• We do not sell Protected Health Information (PHI) or provider data. 
• We use strong security controls (encryption, MFA, RBAC, audit logs) and host in HIPAA‑eligible U.S. cloud infrastructure. 

2. Scope 
This policy applies to the Clinicus web app, iOS and Android mobile apps, data processed within the Platform, and integrations (e.g., EHRs and secure messaging). It does not cover third‑party sites you may access from the Platform or processing done by providers outside the Platform. 

3. Information we process 
3.1 Protected Health Information (PHI) 
Depending on the features you use and your EHR integrations, PHI may include patient demographics, clinical data (diagnoses, meds, vitals, device readings), encounter documentation, billing data, and outreach logs. 

3.2 Provider & user account data 
Name, credentials (e.g., NPI, license numbers), work contact details, organization/role, login credentials (hashed/salted), and MFA device info. 

3.3 Technical & usage data 
Device and browser details, IP address, session metadata, feature interactions, API and error logs. Collected for security, performance, and compliance auditing. 

4. How we use information 
• Core platform functions: Display records, document care, manage care plans, support CCM/RPM workflows, and billing support. 
• Integrations: Bidirectional exchange with EHRs (e.g., HL7 FHIR) and secure communication vendors, as enabled by your organization. 
• Security & compliance: Access auditing, anomaly detection, incident response, and required reporting. 
• Support & improvement: Troubleshooting and product enhancement using de‑identified analytics where applicable. We do not use PHI for marketing or ads. 

5. Our legal basis & HIPAA role 
Sciometrix acts as a Business Associate and processes PHI under BAAs for treatment, payment, and healthcare operations (TPO) and as otherwise permitted by law. We apply the HIPAA minimum necessary standard and comply with HITECH requirements. 

6. Security 
We align with HIPAA Security Rule controls and industry frameworks. Safeguards include encryption in transit (TLS 1.2+) and at rest (AES‑256), MFA, RBAC/least privilege, automatic session timeout, comprehensive audit logs, intrusion detection, routine testing, and HIPAA‑eligible U.S. cloud hosting. 

7. Sharing & disclosures 
We do not sell PHI or provider data. We disclose only to: 
• EHR integration partners for bidirectional data exchange under applicable agreements; 
• HIPAA‑bound subprocessors (e.g., cloud, security monitoring, support tooling); 
• Secure messaging/SMS vendors under BAAs, when enabled; 
• Legal/regulatory requests, required reporting, or business transfers with equivalent protections. 

8. Data retention & deletion 
We retain PHI and required records consistent with HIPAA (minimum six years) and applicable law. At service termination, we will return or securely destroy PHI per your BAA and HIPAA disposal requirements. 

9. Provider responsibilities & rights 
Provider organizations control user access and are responsible for deactivations upon role changes. Privacy Officers may request organization‑specific audit logs by emailing privacy@sciometrix.com. 

10. Breach notification 
If we determine a Breach of Unsecured PHI under HIPAA, we will notify the affected Covered Entity without unreasonable delay and within 60 days of discovery, and cooperate in the response. 

11. Cookies & mobile permissions 
• Web cookies: Session cookies only (e.g., CSRF protection); no ad/behavioral cookies. 
• Mobile permissions: Optional biometrics for login (processed by your device), camera (e.g., document scanning), push notifications, and network access. 

12. International data transfers 
Clinicus is intended for U.S. provider use; PHI is stored and processed in the United States. 

13. Children’s privacy 
Clinicus is for professional use by licensed healthcare staff and is not directed to individuals under 18. 

14. Updates to this policy 
We may update this policy for operational, legal, or regulatory reasons. We will post updates with a new effective date and notify designated admins of material changes. 

15. Contact 
Sciometrix, Inc. — Privacy & Compliance 
Email: privacy@sciometrix.com • Website: www.sciometrix.com