Kaducia Privacy Policy

Effective Date: 05/15/25

1. Overview

Kaducia is a browser-based medical coding assistant designed to help clinical professionals extract and assign medical codes from free-text notes. This Privacy Policy describes how we handle and protect your information, including Protected Health Information (PHI), in compliance with applicable laws such as HIPAA (the Health Insurance Portability and Accountability Act).

2. What Information We Collect

We collect the following information when you use the Kaducia Chrome extension:

  • Login credentials via Auth0 (e.g., email address)
  • Medical notes or text extracted from the page (when you explicitly trigger it)
  • Generated codes (ICD-9, ICD-10, CPT, etc.)
  • Anonymous usage logs (e.g., timestamp, feature usage) — no PHI

3. How We Use Your Information

We use your information solely to:

  • Authenticate your identity
  • Process medical notes and generate code recommendations
  • Improve the quality and performance of our services

We do not sell, share, or use your data for advertising.

4. How We Protect Your Data

We follow strict technical and administrative safeguards to protect your information:

  • All data is transmitted over HTTPS
  • Access tokens are securely stored and expire automatically
  • PHI is processed in memory and never written to disk
  • No PHI is stored long-term by the extension
  • Our backend services are hosted on HIPAA-aware infrastructure and require authentication

5. HIPAA Compliance

If you are a covered entity under HIPAA and use Kaducia to process PHI, we are able to act as your Business Associate. In such cases:

  • We will enter into a Business Associate Agreement (BAA)
  • We will comply with all HIPAA-required safeguards
  • We will notify you promptly in the event of any data incident

6. Your Rights and Choices

You have the right to:

  • Request information about the data we've processed
  • Request deletion of stored data (if applicable)
  • Control who has access to your account

Contact us at sr118@rice.edu to exercise these rights.

7. Third-Party Services

We use Auth0 for authentication and Render for backend processing. These providers are selected for their security and reliability. We do not share your data with any other third parties.

8. Data Retention

We do not retain PHI or medical text once processing is complete. Any temporary data is securely cleared from memory and not persisted to disk.

9. Contact Us

If you have any questions about this Privacy Policy, or wish to request a BAA, please contact us:

📧 Email: sr118@rice.edu

10. Updates to This Policy

We may update this policy as necessary to reflect changes to our practices. You will be notified of significant updates via the extension or email.