Legal

Privacy Policy

Last updated: December 10, 2025. This policy explains what data BaseKey processes in the RCM platform, why we process it, and how you can exercise controls.

What We Collect

Account data: name, email, organization, and role for authentication and access control.

Operational data: workflow definitions, execution metadata, audit logs, and support diagnostics necessary to provide and secure the service.

Optional inputs: chat prompts, uploaded documents, and portal credentials you provide to run automations. These are processed under your organization’s direction.

How We Use Data

  • To authenticate users and enforce least-privilege access.
  • To deliver product functionality (workflow execution, data hub access, assistant guidance) and maintain reliability.
  • To generate security and compliance audit trails, detect abuse, and improve safety signals.
  • To provide support and incident response when you request assistance.

Sharing & Third Parties

We do not sell customer data. Limited sharing occurs with vetted sub-processors needed to run the service (cloud hosting, observability, and support tooling) under confidentiality and security obligations.

Access to PHI/PII is restricted to authorized personnel with just-in-time elevation and audit logging.

Security Measures

  • Encryption in transit (TLS) and at rest for customer data.
  • Isolated tenant data paths with access controls aligned to HIPAA and SOC 2 practices.
  • Audit logging for administrative actions, authentication events, and assistant-driven changes.
  • Vulnerability management, dependency scanning, and change control for production deployments.

Retention & Deletion

Operational data is retained for as long as necessary to provide the service, meet contractual obligations, and satisfy audit requirements.

Deletion requests for specific records can be initiated through your administrator or support, subject to legal and contractual constraints.

Your Controls

  • Use the Settings pages to manage credentials and session preferences.
  • Request data exports or deletions through your admin or support channel where permitted.
  • Limit uploads to data your organization is authorized to process; avoid unnecessary PHI in free-text prompts.

Contact & Incident Reporting

Report privacy or security concerns to security@basekey.ai with relevant timestamps and correlation IDs when available.

For contractual questions, reach your account team or DPO channel provided in your customer agreement.

Terms of ServiceSecurity Overview