Last updated: February 15, 2026

1. Introduction

Sulci AI, Inc. ("Sulci," "we," "us") is committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our clinical ontology normalization platform and related services.

2. Information We Collect

Account Information: Name, email address, organization, and role when you create an account.

Clinical Data: Documents, notes, and data you submit for processing through our NLP and mapping services. This may include Protected Health Information (PHI) governed by a BAA.

Usage Data: API call logs, feature usage patterns, and performance metrics to improve the Service.

Device Information: Browser type, IP address, and operating system for security and analytics purposes.

3. How We Use Your Information

We use collected information to: (a) provide and operate the Service; (b) process clinical data through our NLP and ontology mapping pipelines; (c) improve model accuracy and Service performance; (d) communicate with you about your account and Service updates; (e) ensure the security and integrity of the platform; and (f) comply with legal obligations.

4. Protected Health Information

When customers process PHI through the Service, we act as a Business Associate under HIPAA. We process PHI only as permitted by the BAA and applicable law. PHI is encrypted at rest (AES-256) and in transit (TLS 1.3), and access is restricted to authorized personnel and systems. We do not use PHI for model training without explicit, separate authorization.

5. Data Sharing

We do not sell your personal information or clinical data. We may share information with: (a) service providers who assist in operating the platform, under strict contractual obligations; (b) law enforcement when required by law; and (c) in connection with a merger, acquisition, or sale of assets, with prior notice to you.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Clinical data is retained per your organization's configured retention policy. You may request data deletion at any time, subject to legal and regulatory retention requirements.

7. Security

We implement industry-standard security measures including encryption, access controls, audit logging, and regular penetration testing. SOC 2 Type II certification is in progress. For more details, see our Security page.

8. Your Rights

You have the right to: (a) access your personal data; (b) correct inaccurate data; (c) request deletion of your data; (d) export your data in a machine-readable format; and (e) withdraw consent for data processing where applicable. To exercise these rights, contact privacy@sulci.ai.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email and update the "Last updated" date above.

10. Contact

For questions about this Privacy Policy, contact us at privacy@sulci.ai.