Privacy policy

Claire Privacy Policy

Effective Date: April 24, 2026

---

1. Introduction

This Privacy Policy describes how `Claire dba Fawkes Biodata Inc.` ("Claire," "we," "us," or "our") collects, uses, discloses, retains, and protects personal information — including health and biometric information — when you use the Claire application, website, and related services (collectively, the "Services").

This policy applies to individuals in the United States and Canada. Where additional rights or disclosures are required by a specific jurisdiction, those rights are described in the region-specific sections below (Sections 11–13).

By using the Services, you acknowledge that you have read and understood this Privacy Policy. Where required by law, we will obtain your express consent before collecting or using your personal information.

2. Scope and Roles

-Controller / Responsible Party. `Claire dab Fawkes Biodata Inc.` is the controller (US state law terminology) and the organization responsible (Canadian terminology) for the personal information described here.
-Business Associate / Processor. Where Claire is engaged by a healthcare provider, health plan, or other covered entity, Claire may act as a HIPAA Business Associate or as a processor/service provider under state and provincial laws. In those cases, the covered entity's or customer's privacy notice governs the relationship with the individual, and this policy describes Claire's supplemental practices.
-Children. The Services are not directed to children under 13 (United States) or under the age of majority in the applicable Canadian province. We do not knowingly collect personal information from children without verifiable parental consent. See Section 9.

3. Information We Collect

3.1 Information you provide directly

-Account and contact information: name, email address, phone number, postal address, username, password, and professional role (e.g., patient, clinician, caregiver).
-Identity and verification information: date of birth, government-issued identifiers where required (e.g., for identity verification or insurance billing), and profile photo.
-Health information you submit: symptoms, conditions, diagnoses, medications, allergies, lab and imaging results, family history, reproductive and sexual health information, mental health information, substance use information, genetic information, and any other health-related information you choose to share.
-Biometric information: where the Services process biometric identifiers (e.g., voiceprints, facial geometry, fingerprints) or biometric-derived data, we collect and use this information only with your express consent and as described in Section 12.3.
-Communications: messages you send to us or to other users of the Services, including support inquiries and feedback.
-Payment information: if you purchase services, billing address and payment card information, which is processed by our payment processor (`Stripe`). We do not store full payment card numbers.

3.2 Information collected automatically

-Device and technical data: IP address, device identifiers, operating system, browser type, mobile carrier, language settings, and crash logs.
-Usage data: pages and screens viewed, features used, time spent, referring URLs, and interaction events.
-Cookies and similar technologies: see Section 7.
-Location information: approximate location derived from IP address; precise location only where you have enabled it and granted permission.

3.3 Information from third parties

-Healthcare providers and plans who have engaged Claire to deliver services to you.
-Integration partners such as electronic health record (EHR) systems, laboratories, pharmacies, wearable device providers, and identity verification services, where you have connected them to the Services.
-Analytics and advertising partners (only as described in Section 7 and with appropriate consent where required).
-Public sources such as public directories, where permitted by law.

4. How We Use Personal Information

We use personal information for the following purposes:

-Provide and operate the Services, including creating and maintaining your account, delivering features you request, and enabling connections between you and healthcare providers.
-Deliver health-related functions such as symptom assessment, care coordination, medication reminders, and decision support, strictly as configured by you or the covered entity providing your care.
-Improve and develop the Services, including debugging, analytics, and quality assurance. We do not use identifiable health information for product improvement without your authorization or a lawful basis.
-Train or improve machine-learning models only with de-identified or aggregated data, or with your express opt-in consent where identifiable data is used. 
-Communicate with you about your account, service changes, security alerts, and — where permitted — marketing and surveys. You can opt out of non-essential communications at any time.
-Security, fraud prevention, and integrity, including detecting and preventing unauthorized access, abuse, and violations of our Terms of Service.
-Comply with legal obligations, respond to lawful requests from public authorities, and enforce our rights.
-Research and public health purposes, only with your authorization or using properly de-identified data, and subject to HIPAA and applicable law.

5. Legal Bases and Consent

-United States. We rely on your authorization, contractual necessity, our legitimate interests (where not overridden by your rights), and legal obligations. Where HIPAA applies, we process Protected Health Information ("PHI") only as permitted by the HIPAA Privacy Rule and applicable Business Associate Agreements.
-Canada. We collect, use, and disclose personal information with your knowledge and consent, except where collection, use, or disclosure without consent is permitted or required by law (e.g., PIPEDA s. 7, Quebec Law 25, and applicable provincial legislation).
-Sensitive categories. We obtain your express, opt-in consent before processing sensitive personal information, including health, genetic, biometric, and precise geolocation information, except where a narrow statutory exception applies (e.g., emergency care, public health).

6. How We Share Personal Information

We share personal information only as described below and, where required, with your consent.

-With healthcare providers and covered entities who use Claire to deliver care to you.
-With service providers and processors acting on our behalf — for example, cloud hosting, secure messaging, analytics, customer support, identity verification, and payment processing. These parties are contractually bound to use the information only to perform services for us and to protect it appropriately.
-With integration partners you connect, such as EHRs, pharmacies, laboratories, or wearable devices, at your direction.
-For legal and safety reasons, including to comply with applicable law, lawful requests, court orders, or to protect the rights, property, or safety of Claire, our users, or others.
-In connection with a corporate transaction such as a merger, acquisition, financing, reorganization, or sale of assets. We will notify you as required by law and will honor the commitments in this policy or obtain your consent for any material change.
-With your consent or at your direction.

No sale of personal information. Claire does not sell personal information or consumer health data for money. Claire does not engage in "targeted advertising" or "cross-context behavioral advertising" using health information. Where any sharing could be deemed a "sale" or "sharing" under state law, we provide an opt-out as described in Section 11.

7. Cookies, Analytics, and Tracking Technologies

We use cookies, SDKs, pixels, and similar technologies to operate the Services, remember your preferences, measure performance, and — where permitted — conduct analytics. We do not use third-party advertising cookies, pixels, or SDKs on pages or screens where health information is displayed or entered.

You can manage cookies through your browser and — where available — through an in-app preference center. We honor the Global Privacy Control (GPC) as a valid opt-out of "sale" and "sharing"/"targeted advertising" for California and other states that recognize it.

8. Data Retention

We retain personal information only as long as necessary to provide the Services, comply with our legal and regulatory obligations, resolve disputes, and enforce our agreements. Specific retention periods depend on the type of information and applicable law, including HIPAA's minimum six (6) year retention for designated records and provincial health-records retention requirements in Canada. When information is no longer needed, we delete, de-identify, or securely anonymize it.


9. Children's Privacy

The Services are not directed to, and we do not knowingly collect personal information from, children under 13 in the United States (COPPA) or under the applicable age of consent in Canada without verifiable parental or guardian consent. If you believe we have collected information from a child without appropriate consent, please contact us using the details in Section 14 and we will delete it.

10. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, and destruction. These include encryption in transit and at rest, access controls, logging and monitoring, workforce training, vendor due diligence, and a written incident response plan. Where HIPAA applies, we implement the HIPAA Security Rule safeguards. No system is perfectly secure; we cannot guarantee absolute security.

We will notify affected individuals and regulators of security incidents as required by HIPAA, the HITECH Breach Notification Rule, state breach-notification laws, PIPEDA's breach-of-security-safeguards provisions, and provincial requirements (including Quebec Law 25 and Ontario PHIPA).

11. United States — State Privacy Rights

This section supplements the policy above and applies to residents of the listed states. Where the Services process PHI subject to HIPAA, HIPAA and applicable state health-information laws — not the comprehensive state privacy laws — generally govern that information. The rights described below apply to personal information that is not exclusively governed by HIPAA.

11.1 Your rights (all covered states)

Subject to verification and legal exceptions, you may request to:

-Know / access the categories and specific pieces of personal information we have collected about you.
-Correct inaccurate personal information.
-Delete personal information we have collected from you.
-Receive a portable copy of your personal information.
-Opt out of (i) sale of personal information, (ii) sharing/targeted advertising, and (iii) certain profiling with legal or similarly significant effects.
-Limit use of sensitive personal information to that necessary to provide the Services.
-Not receive discriminatory treatment for exercising your rights.
-Appeal a denial of your request (where state law provides an appeal right).

11.2 How to submit a request

- Emailcustomers@clairemed.ai

We will verify your identity using information already associated with your account. Authorized agents may submit requests on your behalf with appropriate authorization.

11.3 California (CCPA/CPRA)

Categories of personal information collected in the last 12 months: identifiers; customer records; protected classification characteristics (where voluntarily provided, e.g., for health-equity purposes); commercial information; internet/network activity; geolocation (approximate and, with permission, precise); audio/visual information (where you submit it); professional or employment-related information (where relevant); inferences; and sensitive personal information, including health information, biometric information (where used for identification), account credentials, precise geolocation, and racial/ethnic origin (where voluntarily provided).

Sources, purposes, and disclosures are described in Sections 3, 4, and 6.

Sale / sharing. We do not sell personal information and do not share personal information for cross-context behavioral advertising.

Use of sensitive personal information. We use sensitive personal information only for the purposes permitted by Cal. Civ. Code § 1798.121 and its implementing regulations (e.g., to provide the Services you requested). You may request that we limit such use; see Section 11.2.

Retention. See Section 8.

Shine the Light. California residents may request information about disclosures to third parties for direct marketing purposes by contacting us at PRIVACY@CLAIREMED.AI. We do not currently disclose personal information to third parties for their direct marketing.

11.4 Virginia, Colorado, Connecticut, Utah, Texas

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA) have the rights described in Section 11.1, subject to the specific scope and exceptions in each state's law. Key state-specific points:

-Consent for sensitive data. In Virginia, Colorado, and Connecticut, we obtain your opt-in consent before processing sensitive personal data (including health, genetic, biometric, and precise geolocation data) and, where required, before processing the personal data of a known child.
-Profiling. In Virginia, Colorado, and Connecticut, you may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. Claire does not currently engage in this form of profiling. 
-Appeals. In Virginia, Colorado, Connecticut, and Texas, you may appeal a denial of your rights request by replying to our decision or contacting privacy@clairemed.ai. If you are unsatisfied, you may contact your state attorney general.
-Texas TDPSA notice. We may sell sensitive personal data only with your consent. We may sell biometric data only with your consent. Claire does not sell sensitive personal data or biometric data.
-Universal opt-out signals. In Colorado, Connecticut, and Texas (and California), we honor recognized opt-out preference signals, including GPC.

11.5 Washington My Health My Data Act (MHMDA) and similar health-data laws

Even if you are not a Washington resident, consumer-health-data laws in Washington (MHMDA), Nevada (SB 370), and Connecticut's 2023 amendments may apply to certain data. Claire:

-Obtains your separate, affirmative consent before collecting or sharing "consumer health data," except where a narrow statutory exception applies.
-Obtains a signed written authorization before any sale of consumer health data.
-Provides the rights to access, delete, and withdraw consent for consumer health data. See Section 11.2 to submit a request.
-Does not engage in geofencing around healthcare facilities.

11.6 HIPAA

Where Claire operates as a Business Associate of, or as a covered entity affiliated with, a healthcare provider or health plan, our use and disclosure of PHI is governed by the HIPAA Privacy, Security, and Breach Notification Rules and the applicable Business Associate Agreement. Individuals generally exercise HIPAA rights (access, amendment, accounting of disclosures, restrictions, confidential communications) through the covered entity, and we will support those requests as required.

11.7 Genetic Information

Where Claire collects or processes genetic information, we comply with the Genetic Information Nondiscrimination Act (GINA) and applicable state genetic-privacy laws (including California's GIPA, Florida's Protecting DNA Privacy Act, and similar laws). We obtain your express written consent before collecting, using, or disclosing genetic information, and we do not disclose genetic information to employers, insurers, or law enforcement without your consent or a valid legal process.

12. Canada — Privacy Notice

12.1 Federal (PIPEDA) and Alberta / British Columbia

Claire handles personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Alberta's and British Columbia's Personal Information Protection Acts (PIPAs). You have the right to:

-Access the personal information we hold about you, including how it has been used and to whom it has been disclosed.
-Correct inaccurate information.
-Withdraw your consent at any time, subject to legal and contractual restrictions and reasonable notice.
-File a complaint with us; if unresolved, you may contact the Office of the Privacy Commissioner of Canada (www.priv.gc.ca) or your provincial privacy commissioner.

We limit collection, use, and disclosure to purposes that a reasonable person would consider appropriate in the circumstances. We do not use personal information for purposes unrelated to those identified to you without your consent.

Cross-border transfers. Personal information may be processed or stored outside the province or country where you reside, including in the United States. When this occurs, information is subject to the laws of the jurisdiction where it is processed, and those laws may differ from Canadian law. We use appropriate contractual and organizational measures to protect your information. See Section 13.

12.2 Quebec — Law 25

If you reside in Quebec, the following additional rules apply under An Act respecting the protection of personal information in the private sector, as amended by Law 25:

-Privacy Officer. Our Privacy Officer (the "person in charge") is Ian Taylor, CEO, ian@clairemed.ai.
-Consent. We obtain your free, informed, express consent — separately from other consents where required — before processing sensitive personal information (including health and biometric information).
-Automated decision-making. If we ever make a decision about you based exclusively on automated processing, we will inform you, tell you about the main factors and parameters leading to the decision, and give you the right to submit observations and seek human review. Claire does not currently make such decisions.
-Rights. You have the rights of access, rectification, de-indexation (right to cease dissemination, re-indexation, or de-indexation where dissemination causes serious injury), and portability (effective September 22, 2024).
-Biometrics. Before implementing any system that uses biometric characteristics or measurements to verify or confirm identity, we will obtain your express consent and file the required disclosure with the Commission d'accès à l'information (CAI).
-Privacy incidents. We maintain an incidents register and will notify the CAI and affected individuals of any confidentiality incident presenting a risk of serious injury.
-French-language access. This policy is available in French on request

12.3 Biometric Information

We collect biometric information only with your express, opt-in consent and only for purposes we have specifically described to you. We do not sell biometric information. We delete biometric information when the purpose for which it was collected is satisfied or when you withdraw consent, whichever is earlier, subject to legal retention obligations. In Quebec, biometric systems are implemented in accordance with the Act to establish a legal framework for information technology and registered with the CAI where required.

12.4 Provincial Health-Information Laws

Where Claire handles "personal health information" in connection with services delivered by a health information custodian or trustee, provincial health-information laws apply, including:

-Ontario — Personal Health Information Protection Act (PHIPA)
-Alberta — Health Information Act (HIA)
-Saskatchewan — Health Information Protection Act (HIPA)
-Manitoba — Personal Health Information Act (PHIA)
-New Brunswick — Personal Health Information Privacy and Access Act (PHIPAA)
-Nova Scotia — Personal Health Information Act (PHIA)
-Newfoundland and Labrador — Personal Health Information Act (PHIA)
-Quebec — Act respecting health and social services information (effective July 1, 2024)

In most provinces, Claire acts as an agent, information manager, or electronic service provider of the custodian/trustee. Your rights to access, correct, and restrict use of your personal health information are generally exercised through that custodian, and Claire will support those requests as contractually and legally required.

12.5 Canadian Anti-Spam Legislation (CASL)

We send commercial electronic messages only with your express or implied consent and include unsubscribe mechanisms as required by CASL.

13. International Data Transfers

Claire is headquartered in Canada and processes personal information in United States and Canada. When information is transferred across borders, we use contractual protections (including standard contractual provisions as appropriate), encryption, and vendor assessments to protect it. Canadian users: see Section 12.1 for additional disclosures.

14. Contact Us

-Privacy Officer / Data Protection Contact: Ian Taylor, CEO
-Email: Ian@clairemed.ai

Regulators. If you are not satisfied with our response, you may contact:

-United States: the Federal Trade Commission (www.ftc.gov), the U.S. Department of Health and Human Services Office for Civil Rights for HIPAA matters (www.hhs.gov/ocr), or your state attorney general.
-Canada: the Office of the Privacy Commissioner of Canada (www.priv.gc.ca) or your provincial privacy or health-information commissioner (e.g., the Commission d'accès à l'information du Québec, the Information and Privacy Commissioner of Ontario).

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the Services and update the "Last Updated" date above. Where required by law (including Quebec Law 25 and in the HIPAA context), we will obtain new consent or provide a revised Notice of Privacy Practices before the changes take effect.