Privacy Policy

1. Introduction

Adjuvex, Inc. ("Adjuvex," "we," "our," or "us"), a product of PrimeMind Labs, provides an AI-powered Revenue Cycle Management (RCM) platform designed to help healthcare organizations analyze claims, manage denials, assess RADV risk, and generate appeals. We understand that the information entrusted to us — including Protected Health Information (PHI) — is sensitive and deserves the highest level of protection.

This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our platform, website, and associated services (collectively, the "Services"). It also describes your rights with respect to your information.

Adjuvex is committed to full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and all applicable state and federal privacy laws. Where we act as a Business Associate to covered entities, our obligations are governed by a Business Associate Agreement (BAA) executed with each customer.

2. Information We Collect

We collect information in the following categories depending on how you interact with our Services:

Protected Health Information (PHI)

When healthcare organizations use our platform to process claims, we may receive PHI including patient names, dates of service, diagnosis codes (ICD-10), procedure codes (CPT), National Provider Identifiers (NPI), payer identifiers, and other data elements contained in FHIR R4 resources or EDI 837/835 transactions. This information is processed solely to deliver the Services under the terms of an executed BAA.

Billing and Financial Data

We collect billing information necessary to process subscription payments, including contact name, billing address, and payment method details. Payment card data is handled exclusively by our PCI-DSS-compliant payment processor and is never stored on Adjuvex infrastructure.

Account Information

When you register for an account, we collect your name, email address, job title, organization name, and a hashed password. Administrators may also provide organization identifiers, NPI numbers, Tax Identification Numbers (TINs), and payer contract details necessary to configure the platform.

Usage and Technical Data

We automatically collect certain technical data including IP addresses, browser type and version, operating system, referring URLs, pages visited, session duration, and feature interaction events. This data is used to maintain platform security, diagnose technical issues, and improve the Services. We do not link usage data to PHI.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To process claims data, generate denial predictions, produce appeal letters, calculate RADV risk scores, and deliver all features of the Adjuvex platform.
• Account Management: To create and maintain your account, authenticate your identity, and manage your subscription.
• HIPAA-Compliant Analysis: To apply AI and statistical models to de-identified or appropriately authorized PHI for the purpose of improving claims outcomes for your organization.
• Communications: To send transactional emails (account confirmations, password resets, billing receipts), product updates, and service announcements. You may opt out of non-transactional communications at any time.
• Security and Fraud Prevention: To detect unauthorized access, investigate suspicious activity, and protect the integrity of the platform.
• Legal Compliance: To comply with applicable laws, respond to lawful requests from government authorities, and enforce our Terms of Service.

We do not sell, rent, trade, or otherwise transfer your PHI or personally identifiable information to third parties for marketing, advertising, or any commercial purpose outside the scope of the Services.

4. HIPAA and PHI Handling

Adjuvex operates as a Business Associate under HIPAA when processing PHI on behalf of covered entities (hospitals, physician practices, billing companies, and health plans). Before any PHI may be transmitted to or processed by Adjuvex, a fully executed Business Associate Agreement must be in place between Adjuvex and the covered entity.

Minimum Necessary Standard: We access, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose. Our platform is architected so that PHI is compartmentalized by customer tenant, and no cross-tenant data access is permitted.

De-identification: Where AI model training or aggregate analytics are performed, PHI is de-identified in accordance with the HIPAA Safe Harbor method (45 CFR §164.514(b)) or the Expert Determination method prior to use. De-identified data is not considered PHI and may be used to improve the Services.

Subcontractors: We may engage subcontractors (sub-Business Associates) to assist in delivering the Services. All subcontractors who may access PHI are required to execute a BAA with Adjuvex and are bound to the same privacy and security obligations we maintain.

5. Data Security

We implement industry-leading technical, administrative, and physical safeguards to protect your information from unauthorized access, disclosure, alteration, and destruction:

• Encryption at Rest: All data stored on Adjuvex infrastructure is encrypted using AES-256. Database volumes, file storage, and backup snapshots are all encrypted.
• Encryption in Transit: All data transmitted between your browser and our servers, and between our internal services, uses TLS 1.3. We enforce HTTPS across all endpoints and implement HTTP Strict Transport Security (HSTS).
• Access Controls: Access to production systems and PHI is restricted to authorized personnel on a need-to-know basis. We enforce multi-factor authentication (MFA) for all administrative access, role-based access control (RBAC) within the application, and comprehensive audit logging of all PHI access events.
• Network Security: Our cloud infrastructure is deployed within isolated Virtual Private Clouds (VPCs) with strict firewall rules, intrusion detection systems, and regular vulnerability scanning.
• SOC 2 Type II: Adjuvex is actively pursuing SOC 2 Type II certification. We maintain security controls aligned with the AICPA Trust Services Criteria and conduct annual third-party penetration testing.
• Employee Training: All Adjuvex personnel with access to PHI complete HIPAA training upon hire and annually thereafter.

Despite our safeguards, no method of electronic transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately at security@adjuvex.com.

6. Data Retention

We retain PHI and associated claims data for a minimum of seven (7) years from the date of last service in accordance with HIPAA requirements (45 CFR §164.530(j)) and applicable state medical records laws, which may impose longer retention periods.

Account information is retained for the duration of the active subscription and for two (2) years following account termination to facilitate dispute resolution, regulatory inquiries, and audit requirements.

Upon written request and subject to legal retention obligations, we will delete or de-identify your information within thirty (30) days. Deletion requests for PHI must be submitted by an authorized representative of the covered entity and may be subject to applicable HIPAA restrictions on deletion.

7. Your Rights

Depending on your location and applicable law, you may have the following rights with respect to your personal information:

• Access: Request a copy of the personal information we hold about you or your organization.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to our legal retention obligations and any applicable HIPAA requirements. Note that deletion of PHI may be restricted where retention is required by law.
• Data Portability: Request an export of your account data and processed claims data in a structured, machine-readable format (JSON or CSV). PHI exports are subject to BAA requirements.
• Objection and Restriction: Object to certain processing activities or request that we restrict processing of your information in certain circumstances.
• Withdraw Consent: Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@adjuvex.com. We will respond to verified requests within thirty (30) days. We may need to verify your identity before processing your request.

8. Third-Party Services

We use the following categories of third-party services to operate the platform:

• Cloud Infrastructure (AWS): Our platform is hosted on Amazon Web Services (AWS) in HIPAA-eligible service regions within the United States. AWS serves as a sub-Business Associate and we maintain a BAA with AWS covering all HIPAA-eligible services.
• Analytics: We use privacy-respecting analytics tools to understand aggregate platform usage. Analytics data does not contain PHI and is configured to anonymize IP addresses.
• Payment Processing: Subscription billing is handled by a PCI-DSS Level 1 certified payment processor. We do not store full payment card numbers; only the last four digits and card type are retained for display purposes.
• Email Delivery: Transactional emails are sent via a third-party email delivery service. Email content may include account information but never PHI.
• Error Monitoring: We use application error monitoring tools to detect and resolve technical issues. These tools are configured to scrub PHI and personally identifiable information from error reports.

We do not share your information with third parties for their own marketing or advertising purposes. All third-party processors are bound by data processing agreements consistent with applicable law.

9. Cookies and Tracking

We use a minimal set of cookies to operate the Services:

• Essential Cookies: Required for authentication, session management, and platform security. These cannot be disabled without affecting core functionality.
• Analytics Cookies: Optional cookies that help us understand how users interact with the platform so we can improve it. You may decline these without affecting your use of the Services.

We do not use advertising cookies, cross-site tracking, or third-party behavioral advertising technology. We do not participate in ad networks, retargeting, or any tracking that would allow your usage of Adjuvex to be shared with advertisers.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will provide at least thirty (30) days' advance notice of material changes by:

• Posting the updated policy on this page with a revised "Last Updated" date
• Sending an email notification to the primary account contact
• Displaying a notice within the Adjuvex dashboard

Your continued use of the Services after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you must discontinue use of the Services and contact us to arrange account closure.

11. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our privacy practices, please contact us: