Privacy Policy

BasaltLabs LLC (“BasaltLabs,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use the Handoff application and related services (the “Service”). By using the Service, you consent to the practices described herein.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your email address and authentication credentials. If you subscribe to a paid plan, payment processing is handled by Stripe, Inc. We do not store credit card numbers, bank account numbers, or other payment instrument details on our servers.

1.2 User-Submitted Content

When you use the Service, you submit text or audio input (“Input”) which is processed to generate formatted reports (“Output”). You must not submit any Protected Health Information (“PHI”) or personally identifiable patient information. Input and Output are encrypted at rest using AES-256-GCM encryption and are associated with your account for the purpose of providing the Service.

1.3 Usage Data

We automatically collect certain information about your use of the Service, including: report generation count, subscription status, feature usage metrics, and general interaction patterns. This data is used to operate, maintain, and improve the Service.

1.4 Device and Log Data

We may collect standard log information such as browser type, operating system, IP address, referring URLs, and timestamps. This data is used for security monitoring and service optimization.

2. How We Use Your Information

We use collected information to:

• Provide, operate, and maintain the Service;
• Process your input through AI models to generate reports;
• Manage your account and subscription;
• Communicate with you regarding the Service, including service announcements and security alerts;
• Monitor and analyze usage trends to improve the Service;
• Detect, prevent, and address technical issues, fraud, or abuse;
• Comply with legal obligations.

3. Third-Party Service Providers

We engage the following categories of third-party processors to operate the Service:

4. Data Security

We implement commercially reasonable technical and organizational measures to protect your information, including:

• AES-256-GCM encryption of sensitive report data at rest;
• TLS 1.2+ encryption for all data in transit;
• Server-side authentication and authorization on all API endpoints;
• Row-level security policies on database tables;
• Rate limiting to prevent abuse.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

5. HIPAA Notice

Handoff is not a HIPAA-covered entity and does not operate as a Business Associate.The Service is designed for use with de-identified clinical information only. Users are prohibited from submitting PHI as defined under 45 C.F.R. § 160.103. BasaltLabs has not executed a Business Associate Agreement (BAA) and assumes no obligations under HIPAA with respect to any data submitted to the Service.

If you are a healthcare provider or Covered Entity, it is your sole responsibility to ensure that your use of the Service complies with all applicable HIPAA regulations and that no PHI is transmitted to the Service.

6. Data Retention

We retain your account information and encrypted reports for as long as your account remains active. Upon account deletion, we will delete or anonymize your personal data within 30 days, except as required by law or for legitimate business purposes (e.g., fraud prevention, dispute resolution). Aggregated, anonymized usage statistics may be retained indefinitely.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you;
• Correct inaccurate or incomplete personal data;
• Delete your personal data, subject to legal retention requirements;
• Export your data in a portable format;
• Object to or restrict certain processing activities;
• Withdraw consent where processing is based on consent.

To exercise any of these rights, contact us at privacy@basaltlabs.app. We will respond to verified requests within 30 days.

8. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your CCPA rights, contact privacy@basaltlabs.app.

9. Cookies and Tracking

The Service uses essential cookies required for authentication and session management. We do not use third-party advertising cookies or cross-site tracking technologies. No data is shared with advertising networks.

10. Children’s Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

11. International Users

The Service is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located. By using the Service, you consent to such transfer and processing.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the “Last Updated” date. Your continued use of the Service after such changes constitutes acceptance of the revised Privacy Policy.

13. Contact

For questions or concerns regarding this Privacy Policy or our data practices, contact us at: