Privacy Policy

Last Updated: February 15, 2026

Referra AI, Inc. ("Referra," "we," "us," or "our") is committed to protecting the privacy and security of the information we collect and process. This Privacy Policy describes how we collect, use, disclose, and protect information in connection with the Referra OS platform and our website at referraai.com (collectively, the "Services").

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, phone number, organization name, and role when you create an account or request a demo.
• Client Data: Information about clients receiving publicly funded care services, including names, dates of birth, county, service authorizations, and support plans. This data is entered and managed by authorized agency and provider users.
• Communication Data: Messages, notes, and communications exchanged through the platform's collaboration features.

1.2 Information Collected Automatically

• Usage Data: Log data, page views, feature usage, and session information.
• Device Information: Browser type, operating system, and IP address.

2. How We Use Information

We use collected information to:

• Provide, maintain, and improve the Referra OS platform
• Facilitate care coordination between agencies and service providers
• Process referrals and service authorizations
• Send service-related communications and notifications
• Respond to demo requests and customer inquiries
• Ensure platform security and prevent fraud
• Comply with legal obligations

3. Protected Health Information (PHI)

Referra OS processes data that may constitute Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA). We handle PHI in accordance with the following:

• All PHI is stored and processed within the Salesforce platform, which maintains HIPAA compliance and SOC 2 certification.
• We enter into Business Associate Agreements (BAAs) with our customers as required by HIPAA.
• Access to PHI is controlled through role-based permissions and organization-level data isolation.
• PHI is never sold, shared for marketing purposes, or disclosed except as permitted by HIPAA and applicable law.

4. Data Sharing and Disclosure

We do not sell personal information. We may share information in the following limited circumstances:

• Between Organizations: Client and service data is shared between case management agencies and service providers as necessary for care coordination, in accordance with user permissions and data sharing agreements.
• Service Providers: We use Salesforce as our platform infrastructure provider. Salesforce processes data in accordance with their own privacy and security policies and our data processing agreement.
• Legal Requirements: We may disclose information when required by law, regulation, legal process, or governmental request.

5. Data Security

We implement industry-standard security measures to protect your data:

• All data is encrypted in transit (TLS) and at rest
• Role-based access control with field-level security
• Organization-level data isolation within the shared platform
• Regular security reviews and compliance audits
• Salesforce platform security (SOC 2 Type II certified)

6. Data Retention

We retain customer data for the duration of the service agreement and for a reasonable period thereafter to comply with legal obligations and resolve disputes. Upon termination of a customer agreement, data can be exported and will be deleted upon request in accordance with our data retention policy.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access, correct, or delete your personal information
• Object to or restrict processing of your data
• Request data portability
• Withdraw consent where processing is based on consent

To exercise these rights, contact us at privacy@referraai.com.

8. Children's Privacy

Referra OS is not directed to children under 13. While client records may include minors receiving publicly funded services, such records are entered and managed by authorized adult users and are subject to all applicable privacy protections.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by posting the updated policy on our website with a revised "Last Updated" date.

10. Contact Us

If you have questions about this Privacy Policy or our data practices:

Referra AI, Inc.
Email: privacy@referraai.com
Website: referraai.com