Privacy Policy

“EarnestMD”, “we”, “us”, and “our” refer to the entity that operates the EarnestMD rate-intelligence platform and marketing site. For privacy requests, data subject rights requests, security questions, or DPA requests, contact us at info@earnestmd.com.

We collect four buckets of information. Everything below is what the product actually records; we do not collect categories that are not enumerated here.

2.1 Account information

When your organization is provisioned in the portal, we create an account record containing: work email address (required, used as login identifier), display name (optional), assigned role (admin, staff, or client_contact), the client (practice) you are associated with for client_contact users, and last-login timestamp. The underlying authentication record (password hash, MFA factors, session tokens) is stored by our authentication sub-processor, Clerk; we do not see your password.

2.2 Usage information

When you interact with the assistant, we record the queries you submit, the tool calls the assistant makes on your behalf, the model token usage for each interaction, and the resulting conversation transcript. We use this to deliver the service, to meter usage against your plan, to debug failures, and to improve product quality. Conversation message bodies are redacted on a 30-day schedule; see Section 6.

We also record administrative actions (user provisioning, role changes, roster saves, report generation) in an immutable audit log alongside the actor, client context, IP address, and timestamp.

2.3 Technical information

When you load a page or call the API, our infrastructure records standard request metadata: IP address, user-agent string, request path, response status, and timing. Vercel (our frontend host) additionally generates short-lived edge request metadata including coarse geolocation derived from IP. Sentry (our error tracker) captures stack traces and request context for errors; this may include IP and user-agent for the affected request. We do not generate browser fingerprints beyond what is implicit in these standard request fields, and we do not embed third-party advertising or social-media trackers.

2.4 Cookies

The portal uses essential cookies set by Clerk to maintain your authenticated session and to prevent CSRF attacks. These cookies cannot be disabled without breaking sign-in. We do not set advertising cookies, cross-site tracking cookies, or personalization cookies on the marketing site or the portal. Our analytics provider, Plausible, is cookie-free by design.

We use the information described above to:

• authenticate you, enforce role-based access, and keep your session secure;
• deliver the rate-benchmarking, peer-discovery, and report-generation features you have asked the assistant to perform;
• meter usage against your engagement plan and any monthly model-spend budget your organization has configured;
• monitor and debug the service (Sentry error tracking, uptime monitoring of /api/health);
• maintain an audit log sufficient to investigate suspected abuse or a security incident;
• improve product quality by reviewing aggregate, deidentified usage patterns (which tools are called, which payers are queried, which features fail);
• generate aggregate, deidentified market-intelligence statistics from data that customers upload to the service (such as practice procedure volumes, contracted rate sheets, and NPI rosters submitted via the customer file-upload feature) and use those statistics internally to sharpen benchmarking estimates, AND publish or license them to third parties (such as healthcare consultants, advisory firms, payers, or researchers) as standalone benchmark reports, datasets, or APIs. See “How aggregation works” below for the protections we apply;
• send service-related communications (account changes, security notices, scheduled maintenance, material policy updates).

We do not use your queries, your roster, or any portal data to train third-party machine-learning models. Our LLM sub-processor (Anthropic) operates under terms that prohibit use of API inputs and outputs for model training.

3.1 How aggregation works (and how to opt out)

When we derive aggregate market-intelligence statistics from customer-uploaded content, we apply the following protections so that no individual customer’s data can be reasonably reidentified from the aggregate:

• NPIs, practice names, billing-entity names, and any customer-identifying fields are stripped before aggregation.
• A minimum-cohort floor: no aggregate row (for a given CPT × payer × state × specialty bucket) may represent fewer than five (5) distinct customer organizations. Buckets that fall below five are dropped, not reported.
• Geography is generalized to state or core-based statistical area (CBSA) — never finer than that in any externally distributed aggregate.
• Rate values are reported as group statistics (median, percentiles, count) — never as the exact figure submitted by any one customer.

You may opt out of inclusion in third-party-licensed aggregates at any time by contacting info@earnestmd.com. Opt-out applies to future aggregation runs only and does not affect aggregates already published. The internal, operational use of aggregate, deidentified metrics described in the previous bullet (debugging, capacity planning, product improvement) cannot be opted out of separately while you remain a customer; it is necessary to operate the service.

We do not sell or rent personal information, and we do not share it with advertisers or data brokers. We share information only with the sub-processors listed below, each of which provides a specific piece of operational infrastructure under a data processing agreement (or equivalent terms):

Stripe will be added to this list when paid billing is enabled for your account; until then, no payment-card processor is in scope. We will give customers at least 30 days’ notice before adding or replacing a material sub-processor.

We may also disclose information when required by law (subpoena, court order, regulatory request) or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of EarnestMD, our customers, or the public.

All processing takes place in the United States. The specific storage locations are:

• Neon Postgres (US-East)— tenant configuration, account records, conversation history (subject to the 30-day redaction below), audit log, and roster data.
• MotherDuck (United States)— the national rate warehouse used by the assistant’s tools. Contains payer-published rate data and provider directory data; does not contain end-user account information.
• Render (United States)— the FastAPI application container. Holds data in memory only for the life of a request.
• Vercel edge / serverless (United States) — the Next.js frontend and edge cache. Stores no persistent application data.
• Clerk (United States)— authentication records, including password hashes, MFA factors, and session tokens.

If you access the service from outside the United States, you are transferring information to the United States. For customers in the European Economic Area, the United Kingdom, or Switzerland whose engagement involves the processing of Personal Data subject to GDPR, we will enter into the European Commission’s Standard Contractual Clauses (Module 2, controller-to-processor) as part of the Data Processing Agreement.

Account records are retained for the duration of your organization’s engagement and for a reasonable period thereafter for dispute-resolution and legal-compliance purposes.

Conversation message bodies are redacted on a rolling 30-day schedule: after 30 days the message text is replaced with a redaction marker, while the audit-log row (timestamp, actor, tool calls invoked, token usage, client context) is retained indefinitely for security and compliance review. This is the behavior of the forget_old_chats routine.

Aggregate, deidentified usage metrics (per-client query counts, per-payer call counts, model-token totals) are retained indefinitely for capacity planning and product analytics. Aggregate, deidentified market-intelligence statistics derived from customer-uploaded content (subject to the protections in Section 3.1) are likewise retained indefinitely. Aggregates that have already been published or licensed to a third party continue to exist in those third parties’ copies even after you opt out or close your account; opt-out applies to future aggregation runs.

If you would like us to delete an account or otherwise exercise your erasure rights, see Section 8.

We maintain technical and organizational measures designed to protect information against unauthorized access, alteration, disclosure, or destruction. These include TLS 1.2+ on all public endpoints, encryption at rest at the database layer (Neon, MotherDuck), multi-factor authentication for internal accounts, a server-side NPI scope clamp that prevents the language model from widening its data access, an immutable audit log of privileged actions, and secret management via the dashboards of our hosting providers. Our full security posture — including sub-processor SOC 2 status, incident-response commitments, and tenant-isolation architecture — is published at /security.

No system is completely secure. In the event of a confirmed security incident affecting your data, we will notify the affected customer within 72 hours of confirming impact, with a description of the incident, the data involved, and our remediation steps. EarnestMD is SOC 2-ready (controls designed to map to SOC 2 Common Criteria) but is not yet SOC 2 certified; we do not claim certifications we have not earned.

Depending on where you live, you may have rights under data protection laws such as the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and similar US state laws. These generally include:

• Access— the right to ask what information we hold about you.
• Correction— the right to ask us to correct inaccurate information.
• Deletion / erasure— the right to ask us to delete your account and the personal information associated with it. The portal exposes an administrative endpoint (POST /api/admin/forget_user) that staff use to fulfill these requests.
• Portability— the right to receive your account data and chat history in a machine-readable format.
• Objection / restriction— the right to object to, or restrict, certain processing.
• Non-discrimination— we will not retaliate against a user for exercising any of these rights.

EarnestMD acts as a data processor for end-user data of our business customers. If you are an authorized end user of a customer organization, your primary point of contact for these rights is that organization; we will work with them to honor your request. If you are unable to reach your organization, you may contact us directly at info@earnestmd.com and we will help route the request.

We do not sell personal information and we do not share it for cross-context behavioral advertising, so there is no “Do Not Sell or Share” signal to honor — we simply do not do those things.

The product is intentionally scoped so that the following categories of data are out of scope and are not accepted by the Service:

• Protected Health Information (PHI) as defined in 45 CFR § 160.103: no patient identifiers, diagnoses, treatment records, or encounter-level data.
• Substance use disorder records subject to 42 CFR Part 2.
• Claims data(your own or any payer’s).
• Executed payer contracts or any PHI-derived materials.
• Payment card data. When paid billing is enabled, our processor (Stripe) handles card data directly; card numbers never touch EarnestMD systems.
• Children’s data. The Service is for business use by healthcare professionals and is not directed to children under 13 (or 16 in the EEA/UK).

If you become aware that any of the above has been transmitted to us in error, please notify us at info@earnestmd.com and we will work with you to delete it promptly.

Privacy questions, data subject rights requests, incident reports, and DPA requests should go to info@earnestmd.com.

Written correspondence may be sent to:

EarnestMD, LLC
Attn: Privacy Contact — Founder
11519 Kingston Pike, Unit 2154
Farragut, TN 37934
United States

We may update this Privacy Policy from time to time. When we make a material change, we will update the “Last updated” date at the top, and — for changes that materially expand how we use or share information — we will notify account holders by email and in the portal at least 30 days before the change takes effect. Continued use of the Service after the effective date of an updated policy constitutes acceptance of the update.