Privacy Policy

Effective: December 17, 2025Last updated: December 17, 2025

Back

This Privacy Policy explains how OMNEAN collects, uses, discloses, and protects information when you visit omnean.ai or use the OMNEAN Eligibility & Assistance Network platform (“EAN”) and related services (collectively, the “Services”). If you do not agree with this Privacy Policy, please do not use the Services.

1. SCOPE AND IMPORTANT CONTEXT

1.1 Who this Policy applies to

This Privacy Policy applies to:

  • Visitors to our websites (including omnean.ai);
  • Users who create an account or otherwise use the Services; and
  • Individuals who communicate with us (e.g., support inquiries).

1.2 Enterprise/organizational use

If you use EAN through an organization (for example, a provider agency or other entity) that has a contract with OMNEAN (a “Customer”), your use may also be governed by that Customer’s agreement with OMNEAN. Where there is a conflict, the applicable Customer agreement controls for the Customer’s data.

1.3 HIPAA and PHI (Protected Health Information)

OMNEAN is not a healthcare provider. Depending on how the Services are deployed, OMNEAN may act as a Business Associate under HIPAA when providing Services to a HIPAA Covered Entity or Business Associate and processing PHI on their behalf. In those cases:

  • OMNEAN’s handling of PHI is governed by the applicable Business Associate Agreement (“BAA”) and HIPAA, and

  • Individual HIPAA rights requests are typically handled through the Covered Entity (or the organization responsible for the PHI), unless the BAA provides otherwise. This Privacy Policy is not a HIPAA “Notice of Privacy Practices.”

2. DEFINITIONS

  • “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an individual.
  • “Customer Data” means information submitted to the Services by or on behalf of a Customer, including prompts, uploaded materials, and outputs, and may include PHI, depending on use.
  • “PHI” has the meaning set forth under HIPAA, where applicable.
  • “De-identified” or “Aggregated” means information that has been processed to remove identifiers such that it cannot reasonably be used to identify an individual (or is combined in a way that does not identify individuals), consistent with applicable law.

3. INFORMATION WE COLLECT

We collect information in three ways: (A) information you provide, (B) information collected automatically, and (C) information from third parties.

3.1 Information you provide directly

Depending on how you interact with the Services, we may collect:

  • Account and profile information: name, email address, username, password (stored in hashed form where applicable), organization/agency affiliation, role type (e.g., family member/representative, provider staff, case manager), and account preferences.
  • Service inputs and content: prompts, questions, form entries, uploaded documents, notes, and other materials you submit through the Services.
  • Outputs and interaction records: responses generated by the Services, citations/source references, and related metadata (e.g., timestamps, assistant type, state configuration, policy version references).
  • Support and communications: information you send to us (e.g., emails to support, feedback, issue reports), which may include attachments or details you choose to provide. Important: If you provide information about someone else (including health, eligibility, or service-planning details), you represent that you have the authority and lawful basis to do so.

3.2 Information collected automatically

When you visit or use the Services, we may automatically collect:

  • Usage data: pages and features used, actions taken, referring URLs, session activity, and approximate usage patterns.
  • Device and connection data: browser type, operating system, device identifiers, IP address, network information, and similar technical data.
  • Cookies and similar technologies: to support authentication, session management, security, and analytics. See Section 8 (Cookies and Tracking).

3.3 Information from third parties

We may receive information from:

  • Customers/Administrators (for enterprise accounts), such as role assignments, permissions, and organizational details.
  • Identity providers if single sign-on (SSO) is enabled (e.g., confirmation that you authenticated, your email, and basic profile attributes).
  • Service providers that support operations (e.g., fraud prevention, security monitoring, analytics), to the extent permitted by law and contract.

4. HOW WE USE INFORMATION

We use information for the following purposes:

4.1 Provide, operate, and maintain the Services

Including to:

  • Create and administer accounts;
  • Authenticate users and enforce role-based access controls;
  • Process prompts and generate outputs (including citations and effective-date references, where available);
  • Provide requested features (e.g., provider search, compliance checks, drafting tools);
  • Maintain auditability and accountability features (e.g., logs tied to prompts, outputs, sources, timestamps).

4.2 Security, integrity, and fraud prevention

Including to:

  • Monitor for suspicious or unauthorized activity;

  • Protect the confidentiality, integrity, and availability of systems;

  • Enforce our Terms of Service and acceptable-use rules.

4.3 Support and communications

Including to:

  • Respond to questions, requests, and support tickets;
  • Send administrative messages (e.g., service updates, security notices);
  • Provide information you request.

4.4 Product improvement and development

Including to:

  • Debug, test, and improve functionality;
  • Understand feature usage and performance;
  • Develop new features and capabilities. Where feasible and appropriate, we may use aggregated and/or de-identified information for analytics and improvement.

4.5 Compliance with law and protection of rights

Including to:

  • Comply with legal obligations, lawful requests, and applicable regulations;
  • Protect the rights, safety, and property of OMNEAN, our users, Customers, and others.

5. HOW WE DISCLOSE INFORMATION

We may disclose information as follows:

5.1 Service providers and subprocessors

We may share information with vendors and service providers who perform services for us (e.g., cloud hosting, security monitoring, authentication, support tooling, analytics, payment processing if applicable). These providers are authorized to access information only as needed to perform services on our behalf and are contractually required to protect it.

5.2 Customers and authorized administrators

If you use the Services through a Customer (e.g., your employer or agency), certain information (such as account status, role assignments, usage logs, or audit records) may be visible to that Customer’s authorized administrators, consistent with the Customer’s configuration and agreements.

5.3 At your direction

We may disclose information when you request or direct us to do so (for example, exporting an output, sharing a report, or sending materials to a designated recipient through available features).

5.4 Legal process and protection

We may disclose information if we believe in good faith that disclosure is necessary to:

  • Comply with law, regulation, subpoena, court order, or other legal process;
  • Protect against fraud or security threats;
  • Enforce our agreements and policies; or
  • Protect the rights, property, or safety of OMNEAN, users, Customers, or others.

5.5 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be disclosed as part of that transaction, subject to appropriate confidentiality and security protections.

5.6 Aggregated or de-identified information

We may disclose aggregated or de-identified information that does not identify individuals, consistent with applicable law.

6. PHI, HIPAA, AND CUSTOMER DATA OBLIGATIONS

Where OMNEAN processes PHI on behalf of a Customer under a BAA:

  • We use and disclose PHI only as permitted by the BAA and applicable law;
  • We implement safeguards required by HIPAA (as applicable under the BAA);
  • We support auditability, access controls, and logging consistent with the Services’ design and contractual commitments. If you are an individual whose PHI is involved, and you wish to exercise HIPAA rights (access, amendment, accounting of disclosures, etc.), you should generally contact the relevant Covered Entity or organization responsible for your PHI.

7. AI FEATURES, LOGGING, AND MODEL IMPROVEMENT PRACTICES

7.1 Processing prompts and generating outputs

The Services process User Content (including prompts and uploads) to generate outputs (including explanations and citations) and to operate safety, security, and compliance controls (including audit logs).

7.2 Audit logs and accountability

Because the Services are designed to be secure and auditable, we may retain logs associated with prompts, outputs, citations/source references, timestamps, and access metadata, subject to contractual commitments and applicable law.

7.3 Training and personalization

  • Personalization (if enabled) is intended to be scoped to an individual or Customer environment, consistent with consent and access controls.
  • OMNEAN does not use Customer Data containing PHI to train shared, general-purpose models except as permitted by the applicable BAA and Customer agreements.
  • We may use de-identified and/or aggregated information to improve the Services, consistent with applicable law and contractual restrictions.

8. COOKIES AND TRACKING TECHNOLOGIES

We may use cookies and similar technologies (such as local storage or pixels) for:

  • Strictly necessary purposes (e.g., authentication, session management, security);
  • Preferences (e.g., language or settings); and
  • Analytics (e.g., understanding usage and performance). You can typically control cookies through your browser settings. If we provide a cookie banner or preference center, you may also manage choices there (where available). Disabling cookies may affect certain functionality. Do Not Track: Some browsers offer “Do Not Track” signals. Because there is no consistent industry standard, our Services may not respond to all such signals.

9. DATA SECURITY

We implement administrative, technical, and organizational measures designed to protect information against unauthorized access, disclosure, alteration, or destruction. These measures may include access controls, encryption in transit and at rest (where applicable), role-based access, and auditing mechanisms. No security system is perfect, and we cannot guarantee absolute security. You are responsible for using strong passwords and maintaining the confidentiality of your credentials.

10. DATA RETENTION

We retain information for as long as necessary to:

  • Provide the Services;
  • Maintain auditability, security, and integrity;
  • Comply with legal obligations; and
  • Resolve disputes and enforce agreements. Retention periods may vary depending on the nature of the data, contractual requirements (including BAAs), and legal/regulatory obligations. Where feasible, we may delete, de-identify, or aggregate information when it is no longer needed.

11. YOUR PRIVACY RIGHTS AND CHOICES

11.1 Account information

You may be able to access, update, or correct certain profile information through your account settings. If you cannot, contact us at support@omnean.com.

11.2 Communications preferences

You may opt out of non-essential marketing communications by using the unsubscribe link or contacting us. We may still send transactional or service-related messages.

11.3 U.S. state privacy rights (where applicable)

Depending on where you live, you may have rights such as:

  • Access to Personal Information we hold about you;

  • Correction of inaccurate Personal Information;

  • Deletion (subject to exceptions);

  • Obtaining a copy of certain information; and

  • Opting out of certain processing (such as targeted advertising) where applicable. We do not sell Personal Information in the ordinary sense. Some analytics and cookie-based practices may be considered a “sale” or “sharing” under certain laws in some circumstances. Where required, we will provide mechanisms to exercise applicable opt-out rights. To submit a request, contact support@omnean.com. We may need to verify your identity and, if applicable, your authority to make the request.

11.4 HIPAA rights for PHI

If your request concerns PHI processed under a Customer’s BAA, you should direct your request to the relevant Covered Entity or organization responsible for the PHI, unless instructed otherwise.

12. INTERNATIONAL USERS

If you access the Services from outside the United States, you understand that information may be processed and stored in the United States or other locations where OMNEAN or its service providers operate, subject to appropriate safeguards and contractual controls where required.

13. CHILDREN’S PRIVACY

The Services are not directed to children under 13, and we do not knowingly collect Personal Information from children under 13. If you believe a child has provided Personal Information to us, contact support@omnean.com.

14. THIRD-PARTY LINKS

The Services may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. You should review their privacy policies before providing information.

15. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice as required by applicable law (for example, by posting an updated policy with a new “Last Updated” date, and/or by additional notice where appropriate). Your continued use of the Services after an update constitutes acceptance of the updated policy.

16. CONTACT US

If you have questions or requests regarding privacy, contact: support@omnean.com

OMNEAN, LLC