Privacy Policy

CAI Systems, Inc. (“we,” “us,” or “Company”) operates the Talon API platform at talonapi.dev (the “Service”). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you access or use our Service, including our website, API endpoints, dashboard, and documentation.

By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree with any part of this policy, you should not use the Service.

01Information We Collect

Account Information

When you create an account, we collect your email address, organization name, and authentication credentials. We use Supabase Auth for identity management. Passwords are hashed using bcrypt and are never stored in plaintext.

API Usage Data

We log API requests including: your API key identifier (hashed), the endpoint called, request timestamp, response status code, response latency, and credit consumption. We do not log request bodies, clinical note content, or any Protected Health Information (PHI) in our usage logs.

Clinical Data Submitted via API

When you use our gap analysis or appeal generation endpoints, you may submit clinical notes or patient information. This data is:

• >Processed in real-time by our AI inference pipeline (covered under a HIPAA Business Associate Agreement)
• >Not stored, cached, or persisted after the API response is returned
• >Not used to train or fine-tune any AI models
• >Transmitted over TLS 1.2+ encryption in transit

Payment Information

Payment processing is handled entirely by Stripe. We do not receive, store, or have access to your full credit card number, CVV, or banking details. We receive only a Stripe customer ID and transaction confirmation.

Automatically Collected Information

When you visit our website or dashboard, we may automatically collect: IP address, browser type and version, operating system, referring URL, pages visited, and time spent. We use this data for security monitoring, abuse prevention, and aggregate analytics only.

02How We Use Your Information

We use the information we collect to:

• >Provide, maintain, and improve the Service
• >Authenticate your identity and authorize API access
• >Process transactions and manage your credit balance
• >Monitor API usage for rate limiting, abuse prevention, and billing accuracy
• >Send transactional communications (account verification, password resets, usage alerts)
• >Respond to support requests and inquiries
• >Comply with legal obligations and enforce our Terms of Service
• >Detect and prevent fraud, security incidents, and unauthorized access

We do not sell your personal information. We do not use your data for advertising. We do not share your data with third-party data brokers.

03HIPAA Compliance & Protected Health Information

Talon API is designed to process Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA). Our compliance posture includes:

• >Business Associate Agreement (BAA) available for covered entity and business associate customers
• >BAA executed with Vercel (hosting) for HIPAA-compliant infrastructure
• >BAA executed with our AI inference provider for HIPAA-compliant processing
• >Zero-retention policy for PHI — clinical data is processed in memory and never persisted to disk or database
• >All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• >API keys are hashed using bcrypt — raw keys are never stored after initial generation
• >Access controls enforced via row-level security (RLS) in our database
• >Regular security assessments and vulnerability monitoring

If you are a covered entity or business associate under HIPAA and require a BAA, please contact us at support@talonapi.dev.

04Data Retention

05Third-Party Service Providers

We use the following third-party services to operate the platform:

No PHI is transmitted to services without a BAA in place. Upstash only receives hashed, non-identifiable rate-limiting counters.

06Data Security

We implement technical and organizational measures to protect your data, including:

• >TLS 1.2+ encryption for all data in transit
• >AES-256 encryption for all data at rest
• >bcrypt hashing for API keys and passwords
• >Row-level security (RLS) policies in the database
• >Security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options)
• >Rate limiting to prevent brute-force and abuse
• >Regular dependency auditing and vulnerability scanning
• >Principle of least privilege for all service accounts

No method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

07Your Rights

Depending on your jurisdiction, you may have the right to:

• >Access the personal data we hold about you
• >Correct inaccurate or incomplete personal data
• >Request deletion of your personal data
• >Restrict or object to certain processing of your data
• >Request portability of your data in a machine-readable format
• >Withdraw consent where processing is based on consent
• >Lodge a complaint with a supervisory authority

To exercise any of these rights, contact us at support@talonapi.dev. We will respond within 30 days.

08California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• >Right to know what personal information we collect, use, and disclose
• >Right to delete personal information we hold about you
• >Right to opt out of the sale or sharing of personal information — we do not sell or share personal information
• >Right to non-discrimination for exercising your privacy rights
• >Right to correct inaccurate personal information
• >Right to limit the use of sensitive personal information

We do not sell personal information as defined by the CCPA/CPRA. We do not use or disclose sensitive personal information for purposes other than those permitted under the CPRA.

09Cookies & Tracking

We use only essential cookies necessary for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

10Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at support@talonapi.dev.

11International Data Transfers

Our Service is hosted in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States where our servers and service providers are located. By using the Service, you consent to the transfer of your information to the United States and acknowledge that data protection laws in the United States may differ from those in your jurisdiction.

12Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For material changes that affect how we handle PHI, we will provide at least 30 days' notice via email. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

13Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us: