Privacy | kash5.com

01

Overview & Scope

Who this policy applies to and what it covers

This Privacy Policy ("Policy") describes how Cruxio Health Intelligence Pvt. Ltd. and its affiliated entities (collectively "CRUXIO™", "we", "us", or "our") collect, use, process, store, share, and protect personal information and health-related data in connection with the HIP™ Healthcare Intelligence Platform and all associated products, including COFLERIP™, FLIP™, EMPATHIFY™, and FRAUDIQ™ (collectively, the "Platform").

This Policy applies to:

Healthcare providers, hospitals, and health systems that access the Platform as enterprise clients ("Clients")

Authorized users within Client organizations accessing Platform features ("Users")

Visitors to our website at cruxio.co and associated domains ("Visitors")

Business contacts, prospects, and partners who interact with CRUXIO™ commercially

Individuals whose data may be processed through the Platform as part of healthcare intelligence operations

🔒

Data controller vs. data processor

For healthcare data processed on behalf of our enterprise Clients, CRUXIO™ acts as a data processor (or Business Associate under HIPAA). The Client organization is the data controller. For data collected directly through our website and commercial interactions, CRUXIO™ acts as the data controller. This distinction is fundamental to understanding your rights and our obligations.

This Policy should be read alongside any Data Processing Agreement (DPA), Business Associate Agreement (BAA), or other contractual terms executed between CRUXIO™ and the Client. In cases of conflict, the DPA or BAA shall prevail with respect to health and clinical data.

02

Definitions

Key terms used throughout this policy

Personal Data / Personal Information

Any information relating to an identified or identifiable natural person, including name, contact details, identification numbers, location data, online identifiers, or factors specific to their physical, physiological, or professional identity.

Protected Health Information (PHI)

Any individually identifiable health information — in any form — that relates to an individual's past, present, or future physical or mental health condition, provision of healthcare, or payment for care. As defined under HIPAA (45 CFR Part 160 and 164) and equivalent legislation in applicable jurisdictions.

De-identified Data

Health or personal data from which all direct and indirect identifiers have been removed in accordance with applicable law (e.g., HIPAA Safe Harbor or Expert Determination methods), such that the risk of re-identification is negligible.

Platform Data

All data — clinical, operational, financial, experiential, and administrative — ingested, processed, analyzed, and generated by the HIP™ Platform on behalf of a Client institution.

Special Category Data

Under GDPR and UK GDPR, data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data used for identification, health data, or data concerning a person's sex life or sexual orientation.

Business Associate Agreement (BAA)

A contract required under HIPAA between a covered entity and a service provider (business associate) that accesses, uses, or discloses PHI, establishing each party's responsibilities with respect to PHI safeguarding.

Data Processing Agreement (DPA)

A binding contractual agreement between a data controller and data processor, governing the terms under which the processor handles personal data, as required under GDPR Article 28 and equivalent legislation.

03

Data We Collect

Categories of information collected across our products and services

3.1 Platform Data (collected on behalf of Clients)

Category	Examples	Source
Clinical & Health Data	Patient demographics, diagnoses (ICD codes), procedures (CPT codes), medications, lab results, vital signs, care pathways, discharge summaries, clinical notes	EHR/EMR, HIS, LIS, PACS via FHIR R4 / HL7 interfaces
Financial & Claims Data	Claims (837P/I), remittance (835), denial codes, AR aging, charge capture, pre-authorization, payer contracts, billing records	RCM platforms, billing systems, payer portals via X12 EDI
Operational Data	Bed occupancy, OT schedules, staffing rosters, ADT events, patient movement, resource utilization, workflow metrics	HIS, ADT systems, nurse stations, CMMS, scheduling systems
Experience & Engagement Data	Patient feedback signals, sentiment indicators, communication event logs, workforce engagement metrics (de-identified or pseudonymized)	EMPATHIFY™ integrations, CRM, survey platforms
Compliance & Governance Data	Audit logs, access records, policy adherence indicators, anomaly flags, investigation records	Platform-generated, FRAUDIQ™ engine

3.2 Account & User Data

Name, job title, professional role, and contact details of authorized platform users

Login credentials (passwords stored in hashed form; CRUXIO™ never stores plaintext passwords)

Multi-factor authentication records and session tokens

Role-based access configurations and permission assignments

User activity logs, feature usage patterns, and audit trails

3.3 Website & Marketing Data

Contact form submissions including name, email, phone, and organization details

IP addresses, browser type, operating system, and device information

Pages visited, time on site, referral sources, and clickstream data

Communications with our team including emails, calls, and meeting records

Event attendance, webinar participation, and content download records

⚠️

Minimum necessary standard

CRUXIO™ applies the minimum necessary principle in all data collection activities. We collect and process only the data required to deliver the contracted intelligence service. Platform access is scoped to the data fields necessary for each specific product function — no excess data is ingested or retained.

04

Legal Basis for Processing

How we are lawfully permitted to process your data

CRUXIO™ processes personal data only where a valid legal basis exists. The applicable basis depends on the jurisdiction and the nature of the processing activity.

Processing Activity	Legal Basis	Applicable Law
Delivering Platform services to enterprise Clients	Performance of contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f))	GDPR · UK GDPR · PIPEDA
Processing PHI / health data on behalf of Clients	As directed by the data controller Client; BAA / DPA in place; Healthcare treatment, payment, and operations (HIPAA)	HIPAA · GDPR Art. 9 · DPDPA
Account creation and user management	Performance of contract; Legitimate interests	GDPR · UK GDPR · Privacy Act (AU)
Security monitoring and fraud prevention	Legitimate interests; Legal obligation	All jurisdictions
Compliance and regulatory reporting	Legal obligation (Art. 6(1)(c))	All jurisdictions
Marketing communications to business contacts	Legitimate interests; Consent where required	GDPR · CASL · PECR · SPAM Act (AU)
Website analytics	Consent (where cookies require it); Legitimate interests	GDPR · UK GDPR · PECR

ℹ️

Consent withdrawal

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. To withdraw consent, contact us at info@cruxio.co.

05

How We Use Your Data

Specific purposes for which your information is used

5.1 Platform delivery and intelligence operations

Ingesting, normalizing, and structuring healthcare data from Client systems via approved integration interfaces

Generating compound risk scores, predictive analytics, operational signals, and role-specific intelligence dashboards

Operating AI and machine learning models trained on institutional data, with human oversight and governance gates

Delivering financial lifecycle intelligence including denial prediction, revenue cycle analysis, and cash flow modeling

Detecting anomalous patterns indicating potential fraud, waste, or compliance irregularities

Generating audit logs, traceability records, and governance documentation

5.2 Platform improvement and model development

Training and retraining intelligence models using Client-specific data solely for that Client's benefit, subject to contractual restrictions

Using de-identified, aggregated benchmark data — with explicit Client consent — to improve cross-institutional model performance

Testing and evaluating platform features using synthetic or fully anonymized datasets

🚫

What we never do with your data

CRUXIO™ does not sell, rent, or license Client health data or personal data to third parties for commercial purposes. We do not use health or clinical data for advertising, marketing profiling, or any purpose outside the contracted scope. We do not train AI models on one Client's identifiable data to benefit another Client without explicit written consent.

5.3 Website, marketing, and business operations

Responding to enquiries, demonstrations, and sales conversations

Sending product updates, whitepapers, event invitations, and platform news to opt-in contacts

Managing contracts, invoicing, and commercial relationships

Complying with applicable legal obligations, regulatory requirements, and court orders

Protecting the security and integrity of our platform, infrastructure, and team

06

Protected Health Information (PHI)

Our obligations as a HIPAA Business Associate and equivalent health data processor

For Clients operating in the United States (or processing data of US healthcare recipients), CRUXIO™ functions as a Business Associate as defined under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

6.1 Business Associate obligations

We execute a Business Associate Agreement (BAA) with every Client whose operations involve PHI prior to accessing any health information

We use and disclose PHI only as permitted by the BAA and applicable HIPAA regulations

We implement and maintain administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 CFR Part 164 Subpart C)

We report breaches of unsecured PHI to the Covered Entity within the timeframes specified in the BAA and HIPAA Breach Notification Rule (45 CFR Part 164 Subpart D)

We ensure any subcontractors accessing PHI execute equivalent BAAs and maintain equivalent safeguards

We make our internal practices available to the Secretary of HHS for audit and compliance review as required by law

6.2 De-identification

Where platform intelligence functions can operate on de-identified data, we apply HIPAA-compliant de-identification methods (Safe Harbor or Expert Determination) prior to model training, benchmarking, or cross-institutional analysis. Clients may request a copy of our de-identification methodology documentation.

🏥

PHI ingestion principle

CRUXIO™ ingests PHI only through encrypted, authenticated channels. PHI is stored in dedicated, logically isolated environments. Access to PHI is governed by role-based access controls, with full audit logging of every access event. PHI is never stored in unencrypted format at rest or in transit.

07

Data Sharing & Disclosure

Who we share data with and under what conditions

CRUXIO™ does not sell personal data or health data. We share data only in the following limited and controlled circumstances:

Recipient	Purpose	Safeguard
Sub-processors (cloud infrastructure, hosting, monitoring)	Platform delivery, infrastructure operation, disaster recovery	Data Processing Agreement; Standard Contractual Clauses where applicable; listed on Sub-processor Register
The Client institution	Delivering intelligence outputs, dashboards, and reports to authorized users within the Client's organization	Role-based access; audit logging; BAA / DPA in place
Regulatory and government authorities	Compliance with legal obligations, law enforcement requests, court orders, or regulatory investigations	Legal review; only minimum necessary data disclosed; Client notified where permitted by law
Professional advisors (legal, audit, insurance)	Legal advice, financial audit, cyber insurance claims	Professional confidentiality obligations; NDAs in place
Successors in a corporate transaction	Merger, acquisition, or asset transfer involving CRUXIO™	Successor bound by equivalent privacy obligations; Clients notified in advance

📋

Sub-processor transparency

Enterprise Clients may request our current Sub-processor Register at any time by emailing info@cruxio.co. We provide 30-days advance notice of any new sub-processor additions that involve personal data or PHI, allowing Clients the opportunity to object in accordance with their DPA terms.

08

International Data Transfers

How we govern data flows across borders

CRUXIO™ operates globally across the US, Canada, UK, EU, Middle East, Australia, and India. Data may be transferred across jurisdictions in the course of providing Platform services. We ensure that all cross-border transfers are governed by appropriate legal mechanisms and that the destination jurisdiction provides an adequate level of data protection.

UK and EU data: Transferred under the UK Adequacy Regulations, EU Standard Contractual Clauses (SCCs) (Commission Decision 2021/914), or an adequacy decision, supplemented by Transfer Impact Assessments (TIAs) where required

Australian data: Transferred in compliance with Australian Privacy Principle 8 (APP 8) and with contractual assurances meeting the Privacy Act 1988 standard

Canadian data: Transferred in compliance with PIPEDA and, where applicable, provincial health privacy legislation (PHIPA, HIA, PIPA)

Indian data: Processed in compliance with the Digital Personal Data Protection Act 2023 (DPDPA); health data handled with explicit consent and fiduciary obligations

Middle East data: Processed in compliance with UAE Federal Decree-Law No. 45/2021 (PDPL), Saudi Arabia PDPL, and applicable national health data regulations; data localization requirements respected where mandated

US HIPAA data: PHI remains within HIPAA-compliant infrastructure; transfers are governed by the BAA and HIPAA permissible purposes framework

🌐

Data residency options

Enterprise Clients with regulatory data residency requirements may request in-country or in-region data storage as part of their deployment configuration. CRUXIO™ supports sovereign deployment options — including on-premises, private cloud, and national-cloud deployments — for Clients requiring strict data localization. Contact us to discuss your specific requirements.

09

Data Retention

How long we keep your data and why

We retain personal and health data for the minimum period necessary to fulfil the purpose for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. The following retention periods apply:

Data Category	Retention Period	Basis
PHI (HIPAA-covered, US)	6 years from creation or last effective date	HIPAA Security Rule (45 CFR §164.530(j))
Clinical and health records (general)	As specified in Client BAA / DPA — typically 6–10 years	Applicable national health records legislation
Financial and billing data	7 years post-contract termination	Tax, audit, and financial regulations (multi-jurisdiction)
Platform audit logs and access records	3 years minimum; 6 years for HIPAA-covered entities	Regulatory compliance; legal defensibility
User account data	Duration of contract + 90 days post-termination	Platform delivery; data return / deletion obligations
Website contact form data	3 years from last interaction	Legitimate interests; GDPR storage limitation
Marketing communications records	3 years, or until opt-out	GDPR; CASL; PECR; SPAM Act (AU)
Contract and commercial records	7 years post-contract end	Legal obligation; statute of limitations
Security incident records	5 years	Legal defensibility; regulatory audit requirements
De-identified / anonymized data	May be retained indefinitely for benchmarking and model improvement (subject to Client consent)	No longer personal data under applicable law

Upon contract termination, CRUXIO™ will, at the Client's written election and within the timeframe specified in the DPA or BAA, either securely return all Client data in a portable format or certify its secure deletion in accordance with NIST SP 800-88 or equivalent standards. Backup copies are deleted within 90 days of the primary deletion cycle.

10

Security Measures

Technical, administrative, and physical safeguards protecting your data

CRUXIO™ implements a comprehensive, layered security program designed to protect health data and personal information against unauthorized access, disclosure, alteration, or destruction. Our security program is aligned with HIPAA Security Rule requirements, ISO/IEC 27001 principles, and SOC 2 Type II controls.

Technical safeguards

AES-256 encryption for all data at rest; TLS 1.3 for all data in transit

Per-tenant encryption key management (KMS) with Client-controlled key rotation options

Multi-factor authentication (MFA) enforced for all platform access

Role-based access control (RBAC) with least-privilege principles enforced across all user roles

Immutable, tamper-evident audit logs with cryptographic integrity verification

Continuous security monitoring, intrusion detection, and 24×7 SOC oversight

Regular penetration testing by qualified third-party security firms

Vulnerability management program with defined SLAs for remediation by severity

Network segmentation, WAF, and DDoS protection on all public-facing infrastructure

Administrative safeguards

Designated Privacy Officer and Security Officer responsible for privacy and security programs

Annual mandatory privacy and security training for all staff handling health data

Background screening for all employees and contractors with PHI or personal data access

Documented incident response and breach notification procedures tested annually

Business continuity and disaster recovery plans with defined RTOs and RPOs

Vendor risk assessment program for all sub-processors with health data access

🛡

Breach notification

In the event of a confirmed data breach involving personal data or PHI, CRUXIO™ will notify affected Clients without undue delay, and within 72 hours for GDPR/UK GDPR purposes, or within the timeframe specified in the applicable BAA for HIPAA. We will provide the information required under applicable law and cooperate fully with regulatory notification obligations.

11

Your Privacy Rights

Rights available to individuals depending on applicable jurisdiction

Depending on your location and the applicable privacy legislation, you may have the following rights with respect to your personal data. CRUXIO™ is committed to facilitating the exercise of these rights promptly, and within the response timeframes required by applicable law.

🔍

Right of Access

Request confirmation of whether we process your personal data, and obtain a copy of that data along with information about how it is used. (GDPR Art. 15; UK GDPR; PIPEDA; Privacy Act AU; DPDPA)

✏️

Right to Rectification

Request correction of inaccurate or incomplete personal data we hold about you, without undue delay. (GDPR Art. 16; UK GDPR; Privacy Act AU; DPDPA)

🗑

Right to Erasure

Request deletion of your personal data where it is no longer necessary, where consent is withdrawn, or where there is no overriding legitimate interest or legal obligation to retain it. ("Right to be Forgotten" — GDPR Art. 17; UK GDPR; DPDPA)

⏸

Right to Restrict Processing

Request that we limit how we use your personal data in certain circumstances — for example, while the accuracy of the data is disputed. (GDPR Art. 18; UK GDPR)

📦

Right to Data Portability

Receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller, where technically feasible. (GDPR Art. 20; UK GDPR; DPDPA)

🚫

Right to Object

Object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds. (GDPR Art. 21; UK GDPR)

🤖

Automated Decision-Making

Not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects, without meaningful human review. (GDPR Art. 22; UK GDPR)

📋

HIPAA Individual Rights

US patients have rights under HIPAA including access to PHI, request for amendment, accounting of disclosures, and restriction of uses. These are exercised through the Covered Entity (your healthcare provider), not directly through CRUXIO™ as Business Associate.

To exercise any of the above rights, contact us at info@cruxio.co with the subject line "Privacy Rights Request". We will respond within 30 days (or the timeframe required by applicable law), and may request verification of your identity before processing the request. There is no charge for exercising your rights, unless requests are manifestly unfounded or excessive.

⚖️

Right to lodge a complaint

If you believe your privacy rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction — including the ICO (UK), a national Data Protection Authority (EU), the Office of the Privacy Commissioner (Canada), the Office of the Australian Information Commissioner (OAIC), or the applicable national authority in the Middle East or India.

12

Cookies & Tracking Technologies

How we use cookies on our website and Platform

Cookie Type	Purpose	Duration	Consent Required
Strictly Necessary	Authentication sessions, security tokens, load balancing. Required for the platform and website to function.	Session / up to 24h	No
Functional	User preferences, language settings, remembered configurations. Improve usability.	Up to 12 months	Yes
Analytics	Aggregated website usage data — pages viewed, session duration, referral source. Used to improve our website.	Up to 13 months	Yes
Marketing	Campaign attribution, interest-based targeting, remarketing (if applicable). CRUXIO™ uses these minimally on its marketing website only.	Up to 12 months	Yes

You can manage your cookie preferences through our cookie consent tool (displayed on first visit) or through your browser settings. Disabling non-essential cookies will not impair access to core platform functionality. Note that the HIP™ Platform (authenticated environment) uses only strictly necessary cookies; analytics and marketing cookies are limited to our public marketing website.

13

Jurisdiction-Specific Provisions

Additional obligations and disclosures applicable by region

🇺🇸

HIPAA · HITECH · State Laws

United States

CRUXIO™ operates as a HIPAA Business Associate. BAA required prior to PHI access. We also comply with applicable state privacy laws including CCPA/CPRA (California), SHIELD Act (New York), and others. Patients exercise PHI rights through their healthcare provider (Covered Entity).

🇨🇦

PIPEDA · Provincial Health Laws

Canada

Processing governed by PIPEDA and applicable provincial legislation including PHIPA (Ontario), HIA (Alberta), and PIPA (BC). Data residency in Canada available on request. Individuals may challenge CRUXIO™'s compliance with PIPEDA principles through the Office of the Privacy Commissioner.

🇦🇺

Privacy Act 1988 · APPs

Australia

Processing governed by the Privacy Act 1988 and all 13 Australian Privacy Principles (APPs). We comply with APP 8 for overseas disclosures. Notifiable Data Breach (NDB) scheme obligations apply. Complaints may be made to the Office of the Australian Information Commissioner (OAIC).

🇮🇳

DPDPA 2023 · IT Act

India

Processing governed by the Digital Personal Data Protection Act 2023. CRUXIO™ acts as a Data Fiduciary for direct data relationships. Explicit consent obtained for health data processing. Data Principals may exercise rights via info@cruxio.co. We comply with applicable data localization requirements for sensitive personal data.

🌍

UAE PDPL · Saudi Arabia PDPL · DHCC

Middle East (MEENA)

Processing governed by UAE Federal Decree-Law No. 45/2021, Saudi Arabia Personal Data Protection Law, and applicable health sector regulations including DHCC, HAAD, and MOH frameworks. Data localization requirements respected. In-country deployment options available for sovereign and government health programs.

14

Children's Privacy

Our approach to data involving minors

The HIP™ Platform is an enterprise B2B product designed exclusively for use by healthcare organizations, clinical professionals, and authorized administrative staff. CRUXIO™ does not knowingly market to, or collect personal information directly from, children under the age of 13 (or the applicable age of digital consent in the relevant jurisdiction).

In the context of healthcare intelligence operations, the Platform may process clinical data pertaining to pediatric patients as part of the broader patient population data of a healthcare Client. Such processing is carried out under the BAA or DPA with the Client institution, which maintains appropriate consents and safeguards as the data controller responsible for their patients' data.

If you believe that personal data of a child has been submitted to CRUXIO™ outside of a BAA or DPA context, please contact us immediately at info@cruxio.co. We will investigate and take appropriate remedial action promptly.

15

Changes to This Policy

How we notify you of updates to our privacy practices

CRUXIO™ may update this Privacy Policy periodically to reflect changes in our data processing practices, legal obligations, regulatory requirements, or product capabilities. Material changes will be communicated as follows:

Enterprise Clients: Direct email notification to the designated DPO or privacy contact at least 30 days before material changes take effect, with a marked-up version of the Policy identifying specific changes

Platform Users: In-platform notification banner on next login, with a summary of changes and a link to the updated full Policy

Website Visitors: Updated effective date displayed prominently at the top of this Policy page; significant changes announced on our website homepage

Marketing Contacts: Email communication for changes affecting marketing data processing practices

Non-material changes (such as formatting corrections, grammatical updates, or clarifications that do not alter the substance of data processing activities) may be made without advance notice. We maintain an archive of prior Policy versions available on request.

Your continued use of the Platform or website following the effective date of a revised Policy constitutes acceptance of the updated terms. If you do not agree with the changes, you may contact us to discuss your options, including exercising your right to withdraw consent or terminate the applicable agreement.

16

Contact & Data Protection Officer

How to reach us for privacy-related enquiries, requests, and complaints

For all privacy-related enquiries, data subject rights requests, DPA or BAA discussions, or to report a suspected privacy incident, please contact us through the following channels:

Privacy & DPO enquiries

info@cruxio.co

Subject line: Privacy Enquiry / Rights Request / DPO
Response within 5 business days

General & enterprise contact

+1-640-221-0016

Global enterprise line for urgent privacy, BAA, and compliance discussions

Registered company

Cruxio Health Intelligence Pvt. Ltd.

Data controller for direct website and commercial data processing

Postal address

Available on request for formal legal correspondence

Email info@cruxio.co to request postal address details for your jurisdiction

⏱

Response timeframes

We acknowledge all privacy enquiries within 5 business days. For data subject rights requests, we respond substantively within 30 days (GDPR/UK GDPR/DPDPA), within 30 days (PIPEDA), and within 30 days (Privacy Act AU). For HIPAA accounting of disclosures requests, we respond within 60 days. Extensions are applied only where permitted by law and with prior notification.