Privacy Policy

1. Introduction

ClearStars, Inc. ("ClearStars," "we," "us," or "our") is a Delaware corporation that provides a cloud-based software-as-a-service (SaaS) platform specializing in advanced analytics and artificial intelligence for Medicare Advantage (MA) health plans. Our platform, including our proprietary QuaSAR engine (Quality and Stars Analytics Resource), processes healthcare data to support CMS Stars ratings improvement, quality measurement, risk adjustment, and population health management.

This Privacy Policy describes how ClearStars collects, uses, discloses, retains, and protects information when you use our platform (app.clearstars.ai), visit our website (clearstars.ai), or otherwise interact with our services. This policy applies to all users, including health plan clients, their authorized users, and website visitors.

In the course of providing our services, ClearStars processes Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. ClearStars acts as a Business Associate under HIPAA and processes PHI strictly in accordance with executed Business Associate Agreements (BAAs) with our covered entity clients.

By accessing or using our services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with these practices, please do not use our services.

2. Regulatory Compliance

ClearStars maintains compliance with multiple regulatory frameworks to ensure the highest standards of data protection and privacy:

HIPAA Business Associate

ClearStars operates as a Business Associate under HIPAA. We execute Business Associate Agreements (BAAs) with all covered entity clients before processing any PHI. Our obligations include implementing administrative, physical, and technical safeguards; reporting breaches and security incidents; ensuring subcontractors comply with equivalent protections; and maintaining documentation of our compliance activities.

SOC 2 Type II

ClearStars undergoes annual SOC 2 Type II audits covering the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. Audit reports are available to clients and prospects under NDA upon request.

HITRUST CSF

ClearStars aligns its security program with the HITRUST Common Security Framework, which harmonizes requirements from HIPAA, NIST, ISO 27001, and other standards relevant to healthcare information protection.

State Privacy Laws

ClearStars monitors and complies with applicable state privacy and data protection laws, including but not limited to the Texas Medical Records Privacy Act, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other state-specific requirements that may apply to the data we process on behalf of our clients.

3. Information We Collect

Protected Health Information (PHI)

On behalf of our health plan clients, ClearStars processes the following categories of PHI as necessary to provide our analytics and quality measurement services:

• Member demographic information (name, date of birth, address, member ID)
• Clinical data (diagnoses, procedures, medications, lab results)
• Claims and encounter data
• Provider information associated with member care
• Health Risk Assessment (HRA) data
• Quality measure compliance data (HEDIS, CAHPS, HOS, pharmacy measures)
• Risk adjustment data (HCC codes, RAF scores)

Client Account Information

When organizations subscribe to our platform, we collect:

• Organization name and business contact information
• Authorized user names, email addresses, and job titles
• Billing and payment information
• Contract and BAA documentation
• User role and permission configurations

Platform Usage Data

When authorized users access our platform, we automatically collect:

• Access logs (login times, session duration, features accessed)
• Query and report generation activity
• User interface interactions for product improvement
• Device and browser information
• IP addresses and geolocation data (city/state level)

Website Visitor Data

When you visit clearstars.ai, we may collect:

• Information you voluntarily provide through contact forms or demo requests
• Cookie and similar tracking technology data (see Section 9)
• Browsing behavior and page interactions
• Referring website addresses

4. How We Use Information

PHI Usage (Per BAA)

ClearStars uses PHI exclusively as permitted under our BAAs and HIPAA to:

• Perform quality measurement analytics (HEDIS, CAHPS, HOS, pharmacy)
• Generate CMS Stars ratings predictions and improvement recommendations
• Conduct risk adjustment coding analysis and validation
• Produce population health management insights
• Create regulatory compliance reports for client submission
• Support provider performance evaluation and gap closure tracking
• Deliver real-time operational dashboards and alerts

AI/ML Processing

Our QuaSAR engine uses artificial intelligence and machine learning to process data for our clients. It is important to note that QuaSAR does not use client PHI to train general-purpose machine learning models. Client data is processed within isolated, client-specific environments. Our AI models are trained on publicly available CMS specifications, regulatory guidance, and de-identified benchmark data. All AI-generated outputs are deterministic and auditable.

Non-PHI Usage

We use non-PHI information to:

• Administer client accounts and provision user access
• Process billing and manage subscription services
• Provide technical support and respond to inquiries
• Improve our platform features and user experience
• Communicate product updates, security notices, and service-related information
• Comply with legal and regulatory obligations
• Aggregate and anonymize data for industry benchmarking (never using identifiable PHI)

5. Data Architecture and Security

Multi-Tenant Architecture

ClearStars employs a multi-tenant architecture with strict logical data isolation. Each client's data is segregated using Row-Level Security (RLS) policies enforced at the database level, ensuring that one client's data is never accessible by another client. Role-Based Access Control (RBAC) provides granular permission management within each client's environment, allowing administrators to define exactly what data and features each user can access.

Hosting and Infrastructure

All data is hosted on Microsoft Azure infrastructure located exclusively within the United States. We do not transfer data to international data centers. Our infrastructure is configured with Tailscale VPN for secure administrative access, and all environments (development, staging, production) are isolated from each other.

Encryption

ClearStars employs encryption for all data at all stages. Data in transit is protected using TLS 1.2 or higher for all communications. Data at rest is encrypted using AES-256 encryption. Database connections are encrypted, and all API communications use HTTPS exclusively.

Access Controls

Access to systems containing PHI is restricted to authorized personnel on a need-to-know basis. All employees with access to PHI undergo HIPAA training and background checks. Multi-factor authentication (MFA) is required for all administrative and user access. Privileged access is managed through just-in-time provisioning with automatic expiration.

4-Layer Audit System

ClearStars maintains a comprehensive four-layer audit system:

• Layer 1: Infrastructure-level logging (Azure Activity Logs, network flow logs)
• Layer 2: Application-level audit trails (user actions, data access, report generation)
• Layer 3: Database-level logging (query logs, schema changes, data modifications)
• Layer 4: AI/ML audit logs (model inputs, outputs, decision rationale, version tracking)

All audit logs are immutable, tamper-evident, and retained for a minimum of seven (7) years.

6. Data Sharing

ClearStars does not sell, rent, or trade any personal information or PHI. We will never monetize client data for advertising, marketing to third parties, or any purpose outside of the services described in our agreements.

Permitted Disclosures

We may share information only in the following circumstances:

• As directed by the client under the terms of our BAA and service agreement
• To subcontractors who have executed BAAs and equivalent confidentiality agreements with ClearStars (current subcontractors are listed in our BAA schedules)
• As required by law, regulation, or valid legal process (e.g., court order, subpoena)
• To prevent fraud, security threats, or as necessary to protect rights and safety
• In connection with a merger, acquisition, or sale of assets, subject to continued confidentiality protections

Client-Directed Multi-Tenant Sharing

Certain clients may direct ClearStars to enable data sharing between specific organizations within our platform (for example, between a health plan and its delegated entities). Such sharing is only enabled upon explicit written authorization from the data-owning client and is technically enforced through our RBAC and RLS controls.

7. Data Retention

PHI Retention

During the active term of a client agreement, PHI is retained as necessary to provide the contracted services. Upon termination or expiration of a client agreement, ClearStars will return or destroy PHI in accordance with the BAA terms. Clients may request data export in standard formats prior to termination. Post-termination, ClearStars retains PHI for a period specified in the BAA (typically 90 days) to facilitate data transition, after which it is securely destroyed.

Audit Log Retention

All audit logs across the four-layer audit system are retained for a minimum of seven (7) years from the date of creation, in compliance with HIPAA requirements and SOC 2 standards.

Session and Usage Data

Platform session data and anonymized usage analytics are retained for ninety (90) days for operational purposes, after which they are aggregated and anonymized or securely deleted.

8. Individual Rights

HIPAA Rights

Because ClearStars operates as a Business Associate, individual rights regarding PHI are generally exercised through the covered entity (our health plan clients). If you are a member of a health plan that uses ClearStars services and wish to exercise your HIPAA rights (access, amendment, accounting of disclosures, restrictions, or confidential communications), please contact your health plan directly. ClearStars will cooperate with our clients to fulfill such requests in accordance with HIPAA and our BAA obligations.

State Privacy Rights

Depending on your jurisdiction, you may have additional rights under state privacy laws, including:

• Right to know what personal information we collect, use, and disclose
• Right to request deletion of your personal information
• Right to opt out of the sale or sharing of personal information (note: ClearStars does not sell personal information)
• Right to non-discrimination for exercising your privacy rights
• Right to correct inaccurate personal information
• Right to data portability

To exercise any state privacy rights related to data ClearStars holds about you directly (such as contact form submissions or website data), please contact our Privacy Officer at [email protected]. We will respond within the timeframes required by applicable law.

9. Cookies and Similar Technologies

Strictly Necessary Cookies

Our platform uses strictly necessary cookies to enable core functionality. These include session management cookies, authentication tokens, and security cookies (such as CSRF protection). These cookies are essential for the platform to function and cannot be disabled.

Analytics Cookies

Our marketing website (clearstars.ai) may use analytics cookies to understand how visitors interact with the site. These cookies are only placed with your explicit consent. You may manage your cookie preferences at any time through the cookie banner or your browser settings.

For more details, please see our Cookie Policy.

10. Children's Privacy

Our services are designed for use by healthcare organizations and their authorized personnel. We do not knowingly collect personal information directly from children under the age of 13 through our website or marketing activities. PHI related to minors may be processed through our platform on behalf of health plan clients, and such processing is governed by the applicable BAA and HIPAA requirements. If you believe that we have inadvertently collected personal information from a child under 13 outside of client BAA obligations, please contact our Privacy Officer at [email protected], and we will promptly delete such information.

11. International Data Transfers

ClearStars processes and stores all data exclusively within the United States. Our Azure infrastructure is configured to use only US-based data centers. We do not transfer PHI or client data to any international locations. All ClearStars employees and contractors who access PHI are located within the United States. In the unlikely event that international data transfer becomes necessary in the future, ClearStars will implement appropriate safeguards (such as Standard Contractual Clauses or equivalent mechanisms), update this Privacy Policy, and notify affected clients in advance.

12. Incident Response and Breach Notification

Containment

ClearStars maintains a comprehensive incident response plan that includes immediate containment procedures. Upon identification of a potential security incident or breach, our security team initiates containment protocols to limit exposure, preserve forensic evidence, and assess the scope and impact of the incident.

Notification

In the event of a breach of unsecured PHI, ClearStars will notify affected clients without unreasonable delay and in no case later than sixty (60) days following the discovery of the breach, consistent with HIPAA Breach Notification Rule requirements. Notifications will include a description of the breach, the types of information involved, steps taken in response, and recommended actions for affected individuals.

Incident Documentation

All security incidents and breach investigations are documented and retained for a minimum of seven (7) years. Documentation includes the nature of the incident, the timeline of events, remediation actions taken, root cause analysis, and any resulting policy or procedure changes.

13. Insurance Coverage

ClearStars maintains insurance coverage appropriate for a healthcare technology provider handling PHI. Our coverage includes professional liability (Errors and Omissions) insurance with a minimum of $2,000,000 in coverage and cyber liability insurance with a minimum of $2,000,000 in coverage, providing protection for data breach response, notification costs, regulatory proceedings, and related expenses. Certificates of insurance are available to clients upon request.

14. Changes to This Privacy Policy

ClearStars may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes that affect how we handle PHI or that significantly alter your rights, we will provide at least thirty (30) days' advance notice via email to active client contacts and by posting the updated policy on our website with a revised "Last Updated" date. Non-material changes (such as formatting or clarifications) may be made without advance notice. Your continued use of our services after the effective date of any changes constitutes acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.

15. Contact Information

For questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

16. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of Texas, without regard to its conflict of laws principles. Any disputes arising from or related to this Privacy Policy shall be resolved in accordance with the dispute resolution provisions set forth in our Terms of Service. To the extent that federal law (including HIPAA) applies to any matter addressed in this Privacy Policy, federal law shall control.