Privacy Policy
A comprehensive report, for every claimant,
customized to your criteria
Effective Date: October 4, 2025
Kalinda Inc. ("Kalinda," "we," "us," or "our") is committed to protecting the privacy and security of personal information we collect, use, and process through our cloud-based AI platform (the "Platform"). The Platform helps mass tort law firms qualify potential cases by analyzing plaintiff records, generating reports, and providing a dashboard for case management. By using the Platform, you agree to the practices described in this Privacy Policy.
This Privacy Policy applies to all users of the Platform, including our customers (law firms) and any individuals whose personal information is contained in the records uploaded to the Platform (e.g., plaintiffs). It describes our privacy practices in accordance with applicable laws, including the Health Insurance Portability and Accountability Act ("HIPAA") and its implementing regulations, as we process Protected Health Information ("PHI") as a subcontractor Business Associate of our law firm customers. We also comply with applicable U.S. state privacy laws, biometric privacy laws, and health privacy laws that supplement HIPAA. For data that our law firm customers upload to the Platform, Kalinda acts as a “service provider” or processor, processing such data only on behalf of and at the direction of our customer. In those cases, the law firm is the data controller responsible for the data. When Kalinda collects personal information directly from users (for example, account registration or billing information), Kalinda is acting as a data controller (a “business” under state law) for that information.
If you have questions about this Privacy Policy, please contact us at security@kalinda.ai.
Definitions
For clarity and consistency, the following terms used in this Privacy Policy have the meanings set forth below:
Business Associate: As defined under HIPAA (45 C.F.R. § 160.103), an entity that performs functions or activities on behalf of a covered entity involving the use or disclosure of PHI.
Covered Entity: As defined under HIPAA (45 C.F.R. § 160.103), typically health plans, healthcare clearinghouses, or healthcare providers.
Personal Information or PII (Personally Identifiable Information): Any information that identifies or can be used to identify a specific individual, such as names, addresses, email addresses, phone numbers, or other identifiers, as defined under applicable privacy laws (e.g., CCPA/CPRA).
Protected Health Information or PHI: As defined under HIPAA (45 C.F.R. § 160.103), individually identifiable health information transmitted or maintained in any form or medium, including medical records, health status, or treatment details.
Sensitive Data: Categories of personal information requiring heightened protection, such as health data, biometric information, data concerning minors, or education records, as defined under laws like CCPA/CPRA, MHMDA, or BIPA.
Biometric Data: Unique biological or behavioral characteristics used for identification, such as fingerprints, facial geometry, voiceprints, or retina scans, as regulated under laws like BIPA or CCPA/CPRA.
Telemetry Data: Usage and analytics data collected from the Platform, including interaction patterns and aggregated insights, which may not be fully anonymized.
Service Providers: Third parties (e.g., AWS, Microsoft Azure OpenAI, Stripe) that assist us in providing the Platform, bound by confidentiality and security obligations.
Platform: Our cloud-based AI service for processing plaintiff records, generating reports, and case management.
1. Information We Collect
We collect information to provide, maintain, and improve the Platform. The types of information we collect include:
Personal Information from Users
Account and Contact Information: When you create an account or subscribe to the Platform, we collect your email address and other contact details you provide.
Payment Information: We process payments through Stripe, a third-party payment processor. We do not store credit card numbers or other sensitive payment details on our servers; Stripe manages all payment processing and is compliant with the Payment Card Industry Data Security Standard ("PCI DSS").
Information from Customer Uploads
Plaintiff Records: Our law firm customers upload records related to potential cases, which may include:
Names, addresses, email addresses, phone numbers, and other identifiers (Personally Identifiable Information or "PII").
Medical records, health information, and treatment details (Protected Health Information or "PHI" under HIPAA).
For certain lawsuits, this may include information about minors (intentionally for ages 13-18 and inadvertently for those under 13), education/school records, or other sensitive data.
We do not control what information customers upload, but we require customers, through our Terms of Service, to ensure uploads comply with applicable laws and their obligations to data subjects, including promises not to upload unnecessary PII, PHI, or other sensitive data without proper authorization or consent.
Usage and Technical Information
Telemetry and Analytics: We collect usage data from the Platform (e.g., how often features are used, interaction patterns) to improve our services. This data may include aggregated insights from customer usage and is not fully de-identified (it may be linked to user accounts), but it does not include the contents of plaintiff records.
Log Data: We automatically collect logs of system events such as successful and failed logins, security events, changes to configurations, and access to data. These logs help us monitor the Platform for security and performance.
We do not collect information from children under 13 intentionally, except inadvertently through customer uploads as described above. We do not engage in data mapping exercises yet but plan to implement them as part of our compliance efforts.
Cookies and Similar Technologies
We use cookies and similar technologies sparingly and only as necessary to operate our website and Platform effectively. This section outlines our practices to ensure transparency and compliance with applicable privacy laws.
Types of Cookies We Use
Essential Cookies: These are necessary for the basic functionality of our website and Platform, such as maintaining session management and enabling secure login. They do not track user behavior or collect personal information beyond what is required for operation.
Analytics Cookies: We may use limited analytics cookies to collect aggregated, non-personal data about Platform usage (e.g., page views) to improve performance. These do not identify individual users.
Third-Party Cookies: Our third-party service providers (e.g., Stripe for payments) may set cookies on our behalf. We do not use third-party advertising or tracking cookies.
We do not use cookies, pixels, tags, or beacons to track website interactions, capture IP addresses, or collect other personal information for marketing or profiling purposes. No sensitive personal data or PHI is stored in cookies or local storage. We minimize the use of cookies to essential functionality, session management, or user preferences.
Managing Cookies
You can manage or disable cookies through your browser settings. Note that disabling essential cookies may affect the functionality of our Platform. For more information on how to control cookies, visit your browser's help section or sites like allaboutcookies.org. We do not respond to 'Do Not Track' signals as we do not engage in tracking. However, where required by applicable state law (e.g., CCPA/CPRA, CPA, CTDPA), we will recognize and process 'Universal Opt-Out Mechanisms' (UOM), such as the Global Privacy Control (GPC), as a valid request to opt out of the sale or sharing of personal information, even though we do not engage in those activities.
If we introduce new cookies or change our practices, we will update this Privacy Policy and, where required by law (e.g., under CCPA/CPRA or similar state laws), obtain your consent via a cookie banner or notice.
2. How We Use Information
We use the information we collect for the following purposes:
Providing the Platform: To process uploaded records, extract structured data points using AI (powered by third-party models from Microsoft Azure OpenAI), generate reports summarizing lawsuit-relevant details, and maintain the dashboard for case viewing.
Billing and Administration: To manage subscriptions, process payments via Stripe, and enforce usage-based fees (per case processed) and monthly recurring fees.
Support and Maintenance: To respond to technical issues, troubleshoot access problems, and ensure Platform stability via email support at security@kalinda.ai. This may include remote access to customer systems, but PHI handling remains consistent.
Security and Compliance: To monitor access, detect unauthorized activity, and comply with legal obligations, including HIPAA and state privacy laws.
Improvement: To analyze usage data for product enhancements. We never use customer data to train AI models.
Legal and Safety: To protect against fraud, abuse, or illegal use of the Platform, and to respond to legal requests.
PHI is processed solely at the direction of our law firm customers for organizing, reviewing, and reporting on plaintiff records. We do not engage in automated decision-making that affects individuals (e.g., banning users or blocking content). All uses are limited to providing the Service or resolving technical issues, and we do not use personal data for any purposes beyond those described above without additional notice or consent.
3. Sharing and Disclosure of Information
We use the information we collect for the following purposes: Our legal basis for processing the personal information we collect as a data controller (e.g., your account or billing information) is generally to perform our contract with you, or for our legitimate business interests in maintaining security and improving the Platform, or as required by law. We do not sell, rent, or share personal information for marketing or cross-context behavioral advertising purposes. We share information only as necessary to provide the Platform and comply with laws:
Service Providers: We may share personal information with trusted third parties who assist us, such as:
AWS (for cloud hosting in U.S. regions) and Microsoft Azure OpenAI (for AI processing). These providers are bound by confidentiality and security obligations consistent with ours, including Business Associate Agreements for PHI.
Stripe (for payments).
Business Transfers: In the event of a merger, acquisition, or sale of assets, personal information may be transferred, subject to equivalent protections, provided that the recipient agrees to protect the personal information in a manner equivalent to the protections described in this Policy.
Legal Requirements: If we are required by law, regulation, or legal process (such as a subpoena or court order) to disclose information, or if disclosure is necessary to protect our rights, enforce our terms, or protect the safety of our users or others, we may do so. We will only disclose what is legally required and will, when feasible, notify the affected customer in advance (unless prohibited by law).
With Consent: We may disclose personal information with your explicit consent or at the direction of our law firm customers (for instance, if a law firm customer instructs us to transfer data to a third party, or if an individual whose data is in the Platform consents to a disclosure).
Customer data is siloed; each customer's data is stored and processed in separate buckets or compute pools to prevent access by others. We never share customer data with other companies for their own purposes.
4. Data Security
We prioritize the security of personal information, including PHI, and implement administrative, technical, and physical safeguards appropriate to the data we handle. Our program includes:
Encryption: All data is encrypted at rest and in transit using strong encryption standards.
Access Controls: Role-based, least-privilege access; multi-factor authentication; centralized logging and continuous monitoring.
Testing and Monitoring: Regular security testing (including penetration testing and vulnerability management), threat detection and prevention, firewalling and network segmentation, and routine, resilient backups.
Incident Response: A documented incident response process covering detection, containment, investigation, remediation, and legally required notifications; production, test, and development environments are logically separated.
Assurance: Controls are designed to meet applicable legal and industry standards (including the HIPAA Security Rule). We undergo independent assessments and can provide summary reports under NDA upon request.
Secure Development & Data Handling: Secure software development lifecycle practices, change/configuration management, and restrictions that prevent storage of personal information in client-side local storage or cookies.
Although we implement robust measures, no system is impenetrable. In the event of a security incident involving PHI, we will notify affected customers in accordance with HIPAA requirements. For incidents involving personal information not subject to HIPAA, we will provide notifications to affected individuals and regulators as required under applicable state data breach notification laws.
5. Data Retention and Deletion
We retain personal information only as long as necessary to provide our services or fulfill legal obligations:
Uploaded records and generated reports are retained until the customer requests deletion or upon termination of the agreement.
Account and billing information is retained for 7 years post-termination for tax and audit purposes.
Usage and security logs are retained for 1 year.
Customers can request deletion of their data directly through the Platform or by emailing security@kalinda.ai. Upon a verified deletion request, or upon termination of our services with a customer, we will delete (or, if requested, return) that customer’s personal data within 30 days, except where a longer retention is required by law or necessary for legitimate business purposes (such as resolving disputes or enforcing agreements). We maintain a data destruction policy and ensure that all customer data is securely destroyed from our systems (including backups) after a reasonable period following termination.
6. Children's Privacy
The Platform is not intended for children under 13, and we do not knowingly collect personal information from children under 13 (consistent with COPPA) except when it may be included inadvertently through customer uploads for certain lawsuits. If we become aware that we have received personal information directly from a child under 13, we will delete it promptly. For data on minors aged 13–18 uploaded for specific lawsuits, we process it only as directed by our law firm customers and in compliance with applicable laws (including any relevant state privacy laws protecting minors). We do not have specific safeguards beyond general security measures but require customers to obtain necessary consents. We apply the same strict security measures to minors’ data as we do to other data, and we rely on our customers to obtain any necessary parental consent or authorization before uploading a minor’s information.
7. Your Rights and Choices
Depending on your location and applicable laws (e.g., HIPAA, or state privacy laws like the CCPA/CPRA in California and similar laws in other states), you may have certain rights regarding your personal information. These rights may include:
· Access: The right to know what personal information we maintain about you and to obtain a copy of that information in a portable format.
· Correction: The right to request that we correct or update any inaccurate or outdated personal information.
· Deletion: The right to request deletion of your personal information that we have collected (subject to certain exceptions under the law).
· Opt-Out: The right to opt out of certain types of processing or sharing of your personal information. For example, you can opt out of any sale of your personal data or use of your data for targeted advertising (although we do not engage in those practices as noted above). Essential uses of data (such as for providing the service or for billing) cannot be opted out of.
· Data Portability: The right to receive your personal information in a structured, commonly used, and machine-readable format, and/or to have that information transmitted to another entity where technically feasible.
Note: Law firm customers control the plaintiff records they upload to the Platform. If your personal information is contained in records that were uploaded by one of our customers (for example, if you are a plaintiff whose medical records were added to the Platform by a law firm), that law firm is responsible for fulfilling your privacy requests regarding that information. You may need to contact the law firm directly to exercise your rights. If we receive a rights request directly from an individual whose data we process on behalf of a customer, we may either refer your request to the appropriate customer or cooperate with the customer to address the request, consistent with our role as a service provider.
To exercise any applicable rights or to make a privacy-related request, you (or an authorized agent acting on your behalf) may contact us by email at security@kalinda.ai or by using the contact information provided in the “Contact Us” section below. We will respond to verifiable requests within 45 days, or sooner if required by law. If we need more time (up to an additional 45 days), we will inform you of the extension and the reason. If we decline to take action on your request, we will inform you of the reasons for the denial.
If you disagree with our decision regarding a privacy request, you may appeal by replying to our response email or contacting us again and indicating that you are lodging an appeal. We will review and respond to appeals within the time frame required by applicable law (generally within 45 days of receipt of the appeal). Should you remain unsatisfied after the appeal, you may have the right to contact the Attorney General or privacy regulator in your state to lodge a further complaint.
We will not retaliate against or discriminate against you for exercising any of these rights. In other words, we will not deny you our services, charge you a different price, or provide a lesser quality of service just because you exercised your privacy rights.
8. HIPAA Notice for Protected Health Information
As a subcontracted Business Associate under HIPAA, we are committed to safeguarding PHI entrusted to us. In handling PHI, we abide by the following:
Permitted Uses: We use or disclose PHI only as permitted by our Business Associate Agreement ("BAA") with our law firm customer (which may be acting as a Covered Entity or a Business Associate to a Covered Entity) or as required by law. Common uses include treatment, payment, and operations support for law firms. In practice, we use PHI solely to perform services for our customer (for example, to organize and review medical records as part of a law firm’s case preparation, which is a form of “health care operations”) or for other purposes permitted by HIPAA on behalf of the covered entity.
Minimum Necessary: We limit our use and disclosure of PHI to the minimum necessary to accomplish the intended purpose, as required by the HIPAA Privacy Rule.
Safeguards: We implement administrative, physical, and technical safeguards for PHI in accordance with the HIPAA Security Rule (45 C.F.R. Parts 160 and 164). (See the "Data Security" section above for details on our security measures.)
Breach Notification: In the event of a breach of unsecured PHI, we will notify the law firms without unreasonable delay and in no case later than 60 days after discovery of the breach, as required by 45 C.F.R. § 164.410. We will provide information about the breach as required so that the law firms can fulfill any notification obligations to affected individuals and regulators.
Subcontractors: Any subcontractor we use that may access PHI (e.g., our cloud hosting provider or our AI processing provider) are also Business Associates. We ensure that any such subcontractors sign BAAs or equivalent agreements that require them to protect PHI to the same extent we do.
Individual Rights: Under HIPAA, individuals have rights over their PHI (such as the right to access or amend their medical records). Those rights are generally exercised through the covered entity (for example, the healthcare provider or plan). We assist our covered entity customers as needed in fulfilling these individual rights (for instance, by helping a law firm provide an individual with a copy of their records stored on our Platform).
A copy of our standard BAA is available upon request. This Privacy Policy supplements, but does not replace, the BAA. We comply with HIPAA updates, including any new regulations proposed or finalized in 2025, such as updates to the HIPAA Privacy Rule or Security Rule.
9. Artificial Intelligence (AI) Use and Compliance
We use AI technologies to enhance the Platform, specifically to extract structured data points from uploaded medical and legal records, generating reports that summarize lawsuit-relevant information. This process is powered by third-party AI models from Microsoft Azure OpenAI. Key details include:
AI Processing: Uploaded data, including PHI and PII, is passed through AI models solely for the purpose of generating reports at the direction of our law firm customers. We do not use customer data to train, retrain, or improve AI models, neither our own nor third-party models.
Transparency and Consent: We will implement explicit consent mechanisms for AI use if and when required by emerging AI laws.
No Automated Decision-Making: Our AI does not engage in automated decision-making that produces legal effects or similarly significant effects on individuals. The AI-generated outputs are summaries and data extraction to aid human decision-makers (e.g., attorneys); the Platform does not make final decisions about eligibility, compensation, or legal rights of any individual.
Biometrics: We do not intentionally collect or process biometric data (e.g., fingerprints, facial recognition data, or voiceprints). If biometric information is incidentally included in uploaded records (e.g., in medical imaging), it is processed only as part of the overall record analysis and subject to the same protections as other PHI/PII. We comply with applicable biometric privacy laws, as detailed in Section 10.
Risks and Safeguards: We recognize that transmitting data to any AI model carries potential risks (such as the risk of the data being retained by the AI provider or intercepted in transit). We mitigate these risks through strong encryption of data in transit, siloed processing (each customer’s data is processed separately and not combined), and contractual obligations with our AI provider (Microsoft Azure OpenAI) to prevent unauthorized use or retention of the data. Outputs (e.g., the summary reports) are owned by Kalinda and are provided to our customers for their use. These outputs consist of factual summaries, not considered intellectual property.
Compliance with AI Laws: We monitor and comply with emerging AI regulations, including state laws on high-risk AI systems (e.g., Colorado AI Act, which regulates algorithmic discrimination in AI decisions). No federal AI privacy law exists as of this date, but we adhere to best practices for transparency, fairness, and non-discrimination in AI use.
If you have concerns about AI processing, contact us at security@kalinda.ai.
10. U.S. State-Specific Privacy, Biometrics, and HIPAA-Related Laws
We operate in the United States and comply with state-specific laws in addition to federal requirements like HIPAA. Below is a list of key U.S. state laws related to comprehensive consumer privacy, biometrics, and health privacy (supplementing HIPAA) in effect as of October 2025. This list is not exhaustive and may evolve; we adjust our practices accordingly. We do not sell personal information or process data for targeted advertising, and we use sensitive personal information only as needed to provide our services (and not for any secondary purposes).
Comprehensive Consumer Privacy Laws
These laws generally regulate personal data collection, use, disclosure, and provide rights to individuals (such as rights to opt out of certain processing, access data, delete data, etc.). Many of these laws also define certain data (like health information or biometric identifiers) as “sensitive” and require additional protections or consents. Key examples include:
California: California Consumer Privacy Act (CCPA) as amended by California Privacy Rights Act (CPRA).
Virginia: Consumer Data Protection Act (VCDPA).
Colorado: Colorado Privacy Act (CPA).
Connecticut: Connecticut Data Privacy Act (CTDPA).
Utah: Utah Consumer Privacy Act (UCPA).
Iowa: Iowa Consumer Data Protection Act (ICDPA).
Indiana: Indiana Consumer Data Protection Act (INCDPA).
Oregon: Oregon Consumer Privacy Act (OCPA).
Texas: Texas Data Privacy and Security Act (TDPSA).
Montana: Montana Consumer Data Privacy Act (MCDPA).
Florida: Florida Digital Bill of Rights (limited to large companies).
Delaware: Delaware Personal Data Privacy Act (DPDPA).
New Jersey: New Jersey Data Privacy Act (NJDPA).
New Hampshire: New Hampshire Privacy Act.
Nebraska: Nebraska Data Privacy Act (NDPA).
Tennessee: Tennessee Information Protection Act (TIPA).
Minnesota: Minnesota Consumer Data Privacy Act (MCDPA).
Maryland: Maryland Online Data Privacy Act (MODPA).
We assess which laws apply based on factors like the state of residence of the individuals whose data we process and where our customers operate. Depending on your state, you may have rights to access, correct, delete, receive a portable copy, and appeal a decision.
· Requests: Submit via privacy@kalinda.ai. We will verify identity and respond within 45 days (with one permitted extension of 45 days).
· Appeals: You may appeal within 60 days; we will respond with reasons and how to contact your state AG if you disagree.
· Sensitive Data: We do not sell or share personal data, and we do not process biometric identifiers for identification. We do not conduct targeted advertising or profiling that produces legal or similarly significant effects.
· Consumer Health Data (CHD): If any processing falls outside HIPAA, we will comply with applicable CHD obligations.
Biometric Information Privacy Laws
We comply with biometric privacy laws wherever applicable, including but not limited to Illinois' Biometric Information Privacy Act (BIPA), Texas' Capture or Use of Biometric Identifier Act (CUBI), Washington's Biometric Data Law (RCW 19.375), and similar regulations in other jurisdictions. These laws govern the collection, use, storage, and disclosure of biometric data, and we ensure our practices meet requirements for consent, transparency, and data protection.
Health Privacy Laws Supplementing HIPAA
We also comply with state health privacy laws that supplement or exceed HIPAA where applicable. These include, for example: Washington’s My Health My Data Act (MHMDA), which regulates certain “consumer health data” not covered by HIPAA (such as wellness app data, geolocation related to health, and certain biometric health information); Nevada’s Consumer Health Data Privacy Law, which covers consumer health data outside of HIPAA; California’s Confidentiality of Medical Information Act (CMIA), which in some cases provides stricter protections than HIPAA for medical information held by certain entities; and health data provisions within the comprehensive privacy laws listed above (many of which impose special rules for handling health information). These laws impose additional requirements on health data handling, and we implement any enhanced safeguards or individual rights required by those laws. For example, some laws require opt-in consent before selling or sharing health-related information or provide stronger rights for consumers to delete health data — we will follow those requirements whenever applicable.
11. International Data Transfers
We operate solely in the United States, and all user data is stored and processed on servers located in U.S. data centers (primarily through AWS in the U.S.). We do not transfer personal data outside the U.S. If in the future we expand to international markets or need to transfer data internationally, we will do so in compliance with applicable data transfer laws (such as entering into EU Standard Contractual Clauses, if relevant).
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. If we make a material change, we will notify you via email or a prominent notice on the Platform at least 30 days before the changes take effect (or a longer period if required by law). We will also update the "Effective Date" at the top of the Policy. Your continued use of the Platform after any changes to this Privacy Policy become effective constitutes acceptance of the updated Policy.
13. Governing Law and Choice of Law
This Privacy Policy and any disputes arising out of or related to it or the Platform’s use of your information shall be governed by and construed in accordance with the laws of the State of Washington, USA, without regard to its conflict of laws principles. Any legal action or proceeding arising under this Privacy Policy will be brought exclusively in the federal or state courts located in the State of Washington, and by using the Platform you hereby irrevocably consent to the personal jurisdiction and venue of those courts. Notwithstanding the foregoing, if any applicable privacy law provides you with the right to file a complaint or claim in another forum or with a governmental authority (such as a state Attorney General or the FTC), this Privacy Policy does not limit your ability to do so.
14. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us at:
Kalinda Inc.
15947 NE 120th St.
Redmond, WA 98052
Email: security@kalinda.ai
Effective Date: October 4, 2025
Kalinda Inc. ("Kalinda," "we," "us," or "our") is committed to protecting the privacy and security of personal information we collect, use, and process through our cloud-based AI platform (the "Platform"). The Platform helps mass tort law firms qualify potential cases by analyzing plaintiff records, generating reports, and providing a dashboard for case management. By using the Platform, you agree to the practices described in this Privacy Policy.
This Privacy Policy applies to all users of the Platform, including our customers (law firms) and any individuals whose personal information is contained in the records uploaded to the Platform (e.g., plaintiffs). It describes our privacy practices in accordance with applicable laws, including the Health Insurance Portability and Accountability Act ("HIPAA") and its implementing regulations, as we process Protected Health Information ("PHI") as a subcontractor Business Associate of our law firm customers. We also comply with applicable U.S. state privacy laws, biometric privacy laws, and health privacy laws that supplement HIPAA. For data that our law firm customers upload to the Platform, Kalinda acts as a “service provider” or processor, processing such data only on behalf of and at the direction of our customer. In those cases, the law firm is the data controller responsible for the data. When Kalinda collects personal information directly from users (for example, account registration or billing information), Kalinda is acting as a data controller (a “business” under state law) for that information.
If you have questions about this Privacy Policy, please contact us at security@kalinda.ai.
Definitions
For clarity and consistency, the following terms used in this Privacy Policy have the meanings set forth below:
Business Associate: As defined under HIPAA (45 C.F.R. § 160.103), an entity that performs functions or activities on behalf of a covered entity involving the use or disclosure of PHI.
Covered Entity: As defined under HIPAA (45 C.F.R. § 160.103), typically health plans, healthcare clearinghouses, or healthcare providers.
Personal Information or PII (Personally Identifiable Information): Any information that identifies or can be used to identify a specific individual, such as names, addresses, email addresses, phone numbers, or other identifiers, as defined under applicable privacy laws (e.g., CCPA/CPRA).
Protected Health Information or PHI: As defined under HIPAA (45 C.F.R. § 160.103), individually identifiable health information transmitted or maintained in any form or medium, including medical records, health status, or treatment details.
Sensitive Data: Categories of personal information requiring heightened protection, such as health data, biometric information, data concerning minors, or education records, as defined under laws like CCPA/CPRA, MHMDA, or BIPA.
Biometric Data: Unique biological or behavioral characteristics used for identification, such as fingerprints, facial geometry, voiceprints, or retina scans, as regulated under laws like BIPA or CCPA/CPRA.
Telemetry Data: Usage and analytics data collected from the Platform, including interaction patterns and aggregated insights, which may not be fully anonymized.
Service Providers: Third parties (e.g., AWS, Microsoft Azure OpenAI, Stripe) that assist us in providing the Platform, bound by confidentiality and security obligations.
Platform: Our cloud-based AI service for processing plaintiff records, generating reports, and case management.
1. Information We Collect
We collect information to provide, maintain, and improve the Platform. The types of information we collect include:
Personal Information from Users
Account and Contact Information: When you create an account or subscribe to the Platform, we collect your email address and other contact details you provide.
Payment Information: We process payments through Stripe, a third-party payment processor. We do not store credit card numbers or other sensitive payment details on our servers; Stripe manages all payment processing and is compliant with the Payment Card Industry Data Security Standard ("PCI DSS").
Information from Customer Uploads
Plaintiff Records: Our law firm customers upload records related to potential cases, which may include:
Names, addresses, email addresses, phone numbers, and other identifiers (Personally Identifiable Information or "PII").
Medical records, health information, and treatment details (Protected Health Information or "PHI" under HIPAA).
For certain lawsuits, this may include information about minors (intentionally for ages 13-18 and inadvertently for those under 13), education/school records, or other sensitive data.
We do not control what information customers upload, but we require customers, through our Terms of Service, to ensure uploads comply with applicable laws and their obligations to data subjects, including promises not to upload unnecessary PII, PHI, or other sensitive data without proper authorization or consent.
Usage and Technical Information
Telemetry and Analytics: We collect usage data from the Platform (e.g., how often features are used, interaction patterns) to improve our services. This data may include aggregated insights from customer usage and is not fully de-identified (it may be linked to user accounts), but it does not include the contents of plaintiff records.
Log Data: We automatically collect logs of system events such as successful and failed logins, security events, changes to configurations, and access to data. These logs help us monitor the Platform for security and performance.
We do not collect information from children under 13 intentionally, except inadvertently through customer uploads as described above. We do not engage in data mapping exercises yet but plan to implement them as part of our compliance efforts.
Cookies and Similar Technologies
We use cookies and similar technologies sparingly and only as necessary to operate our website and Platform effectively. This section outlines our practices to ensure transparency and compliance with applicable privacy laws.
Types of Cookies We Use
Essential Cookies: These are necessary for the basic functionality of our website and Platform, such as maintaining session management and enabling secure login. They do not track user behavior or collect personal information beyond what is required for operation.
Analytics Cookies: We may use limited analytics cookies to collect aggregated, non-personal data about Platform usage (e.g., page views) to improve performance. These do not identify individual users.
Third-Party Cookies: Our third-party service providers (e.g., Stripe for payments) may set cookies on our behalf. We do not use third-party advertising or tracking cookies.
We do not use cookies, pixels, tags, or beacons to track website interactions, capture IP addresses, or collect other personal information for marketing or profiling purposes. No sensitive personal data or PHI is stored in cookies or local storage. We minimize the use of cookies to essential functionality, session management, or user preferences.
Managing Cookies
You can manage or disable cookies through your browser settings. Note that disabling essential cookies may affect the functionality of our Platform. For more information on how to control cookies, visit your browser's help section or sites like allaboutcookies.org. We do not respond to 'Do Not Track' signals as we do not engage in tracking. However, where required by applicable state law (e.g., CCPA/CPRA, CPA, CTDPA), we will recognize and process 'Universal Opt-Out Mechanisms' (UOM), such as the Global Privacy Control (GPC), as a valid request to opt out of the sale or sharing of personal information, even though we do not engage in those activities.
If we introduce new cookies or change our practices, we will update this Privacy Policy and, where required by law (e.g., under CCPA/CPRA or similar state laws), obtain your consent via a cookie banner or notice.
2. How We Use Information
We use the information we collect for the following purposes:
Providing the Platform: To process uploaded records, extract structured data points using AI (powered by third-party models from Microsoft Azure OpenAI), generate reports summarizing lawsuit-relevant details, and maintain the dashboard for case viewing.
Billing and Administration: To manage subscriptions, process payments via Stripe, and enforce usage-based fees (per case processed) and monthly recurring fees.
Support and Maintenance: To respond to technical issues, troubleshoot access problems, and ensure Platform stability via email support at security@kalinda.ai. This may include remote access to customer systems, but PHI handling remains consistent.
Security and Compliance: To monitor access, detect unauthorized activity, and comply with legal obligations, including HIPAA and state privacy laws.
Improvement: To analyze usage data for product enhancements. We never use customer data to train AI models.
Legal and Safety: To protect against fraud, abuse, or illegal use of the Platform, and to respond to legal requests.
PHI is processed solely at the direction of our law firm customers for organizing, reviewing, and reporting on plaintiff records. We do not engage in automated decision-making that affects individuals (e.g., banning users or blocking content). All uses are limited to providing the Service or resolving technical issues, and we do not use personal data for any purposes beyond those described above without additional notice or consent.
3. Sharing and Disclosure of Information
We use the information we collect for the following purposes: Our legal basis for processing the personal information we collect as a data controller (e.g., your account or billing information) is generally to perform our contract with you, or for our legitimate business interests in maintaining security and improving the Platform, or as required by law. We do not sell, rent, or share personal information for marketing or cross-context behavioral advertising purposes. We share information only as necessary to provide the Platform and comply with laws:
Service Providers: We may share personal information with trusted third parties who assist us, such as:
AWS (for cloud hosting in U.S. regions) and Microsoft Azure OpenAI (for AI processing). These providers are bound by confidentiality and security obligations consistent with ours, including Business Associate Agreements for PHI.
Stripe (for payments).
Business Transfers: In the event of a merger, acquisition, or sale of assets, personal information may be transferred, subject to equivalent protections, provided that the recipient agrees to protect the personal information in a manner equivalent to the protections described in this Policy.
Legal Requirements: If we are required by law, regulation, or legal process (such as a subpoena or court order) to disclose information, or if disclosure is necessary to protect our rights, enforce our terms, or protect the safety of our users or others, we may do so. We will only disclose what is legally required and will, when feasible, notify the affected customer in advance (unless prohibited by law).
With Consent: We may disclose personal information with your explicit consent or at the direction of our law firm customers (for instance, if a law firm customer instructs us to transfer data to a third party, or if an individual whose data is in the Platform consents to a disclosure).
Customer data is siloed; each customer's data is stored and processed in separate buckets or compute pools to prevent access by others. We never share customer data with other companies for their own purposes.
4. Data Security
We prioritize the security of personal information, including PHI, and implement administrative, technical, and physical safeguards appropriate to the data we handle. Our program includes:
Encryption: All data is encrypted at rest and in transit using strong encryption standards.
Access Controls: Role-based, least-privilege access; multi-factor authentication; centralized logging and continuous monitoring.
Testing and Monitoring: Regular security testing (including penetration testing and vulnerability management), threat detection and prevention, firewalling and network segmentation, and routine, resilient backups.
Incident Response: A documented incident response process covering detection, containment, investigation, remediation, and legally required notifications; production, test, and development environments are logically separated.
Assurance: Controls are designed to meet applicable legal and industry standards (including the HIPAA Security Rule). We undergo independent assessments and can provide summary reports under NDA upon request.
Secure Development & Data Handling: Secure software development lifecycle practices, change/configuration management, and restrictions that prevent storage of personal information in client-side local storage or cookies.
Although we implement robust measures, no system is impenetrable. In the event of a security incident involving PHI, we will notify affected customers in accordance with HIPAA requirements. For incidents involving personal information not subject to HIPAA, we will provide notifications to affected individuals and regulators as required under applicable state data breach notification laws.
5. Data Retention and Deletion
We retain personal information only as long as necessary to provide our services or fulfill legal obligations:
Uploaded records and generated reports are retained until the customer requests deletion or upon termination of the agreement.
Account and billing information is retained for 7 years post-termination for tax and audit purposes.
Usage and security logs are retained for 1 year.
Customers can request deletion of their data directly through the Platform or by emailing security@kalinda.ai. Upon a verified deletion request, or upon termination of our services with a customer, we will delete (or, if requested, return) that customer’s personal data within 30 days, except where a longer retention is required by law or necessary for legitimate business purposes (such as resolving disputes or enforcing agreements). We maintain a data destruction policy and ensure that all customer data is securely destroyed from our systems (including backups) after a reasonable period following termination.
6. Children's Privacy
The Platform is not intended for children under 13, and we do not knowingly collect personal information from children under 13 (consistent with COPPA) except when it may be included inadvertently through customer uploads for certain lawsuits. If we become aware that we have received personal information directly from a child under 13, we will delete it promptly. For data on minors aged 13–18 uploaded for specific lawsuits, we process it only as directed by our law firm customers and in compliance with applicable laws (including any relevant state privacy laws protecting minors). We do not have specific safeguards beyond general security measures but require customers to obtain necessary consents. We apply the same strict security measures to minors’ data as we do to other data, and we rely on our customers to obtain any necessary parental consent or authorization before uploading a minor’s information.
7. Your Rights and Choices
Depending on your location and applicable laws (e.g., HIPAA, or state privacy laws like the CCPA/CPRA in California and similar laws in other states), you may have certain rights regarding your personal information. These rights may include:
· Access: The right to know what personal information we maintain about you and to obtain a copy of that information in a portable format.
· Correction: The right to request that we correct or update any inaccurate or outdated personal information.
· Deletion: The right to request deletion of your personal information that we have collected (subject to certain exceptions under the law).
· Opt-Out: The right to opt out of certain types of processing or sharing of your personal information. For example, you can opt out of any sale of your personal data or use of your data for targeted advertising (although we do not engage in those practices as noted above). Essential uses of data (such as for providing the service or for billing) cannot be opted out of.
· Data Portability: The right to receive your personal information in a structured, commonly used, and machine-readable format, and/or to have that information transmitted to another entity where technically feasible.
Note: Law firm customers control the plaintiff records they upload to the Platform. If your personal information is contained in records that were uploaded by one of our customers (for example, if you are a plaintiff whose medical records were added to the Platform by a law firm), that law firm is responsible for fulfilling your privacy requests regarding that information. You may need to contact the law firm directly to exercise your rights. If we receive a rights request directly from an individual whose data we process on behalf of a customer, we may either refer your request to the appropriate customer or cooperate with the customer to address the request, consistent with our role as a service provider.
To exercise any applicable rights or to make a privacy-related request, you (or an authorized agent acting on your behalf) may contact us by email at security@kalinda.ai or by using the contact information provided in the “Contact Us” section below. We will respond to verifiable requests within 45 days, or sooner if required by law. If we need more time (up to an additional 45 days), we will inform you of the extension and the reason. If we decline to take action on your request, we will inform you of the reasons for the denial.
If you disagree with our decision regarding a privacy request, you may appeal by replying to our response email or contacting us again and indicating that you are lodging an appeal. We will review and respond to appeals within the time frame required by applicable law (generally within 45 days of receipt of the appeal). Should you remain unsatisfied after the appeal, you may have the right to contact the Attorney General or privacy regulator in your state to lodge a further complaint.
We will not retaliate against or discriminate against you for exercising any of these rights. In other words, we will not deny you our services, charge you a different price, or provide a lesser quality of service just because you exercised your privacy rights.
8. HIPAA Notice for Protected Health Information
As a subcontracted Business Associate under HIPAA, we are committed to safeguarding PHI entrusted to us. In handling PHI, we abide by the following:
Permitted Uses: We use or disclose PHI only as permitted by our Business Associate Agreement ("BAA") with our law firm customer (which may be acting as a Covered Entity or a Business Associate to a Covered Entity) or as required by law. Common uses include treatment, payment, and operations support for law firms. In practice, we use PHI solely to perform services for our customer (for example, to organize and review medical records as part of a law firm’s case preparation, which is a form of “health care operations”) or for other purposes permitted by HIPAA on behalf of the covered entity.
Minimum Necessary: We limit our use and disclosure of PHI to the minimum necessary to accomplish the intended purpose, as required by the HIPAA Privacy Rule.
Safeguards: We implement administrative, physical, and technical safeguards for PHI in accordance with the HIPAA Security Rule (45 C.F.R. Parts 160 and 164). (See the "Data Security" section above for details on our security measures.)
Breach Notification: In the event of a breach of unsecured PHI, we will notify the law firms without unreasonable delay and in no case later than 60 days after discovery of the breach, as required by 45 C.F.R. § 164.410. We will provide information about the breach as required so that the law firms can fulfill any notification obligations to affected individuals and regulators.
Subcontractors: Any subcontractor we use that may access PHI (e.g., our cloud hosting provider or our AI processing provider) are also Business Associates. We ensure that any such subcontractors sign BAAs or equivalent agreements that require them to protect PHI to the same extent we do.
Individual Rights: Under HIPAA, individuals have rights over their PHI (such as the right to access or amend their medical records). Those rights are generally exercised through the covered entity (for example, the healthcare provider or plan). We assist our covered entity customers as needed in fulfilling these individual rights (for instance, by helping a law firm provide an individual with a copy of their records stored on our Platform).
A copy of our standard BAA is available upon request. This Privacy Policy supplements, but does not replace, the BAA. We comply with HIPAA updates, including any new regulations proposed or finalized in 2025, such as updates to the HIPAA Privacy Rule or Security Rule.
9. Artificial Intelligence (AI) Use and Compliance
We use AI technologies to enhance the Platform, specifically to extract structured data points from uploaded medical and legal records, generating reports that summarize lawsuit-relevant information. This process is powered by third-party AI models from Microsoft Azure OpenAI. Key details include:
AI Processing: Uploaded data, including PHI and PII, is passed through AI models solely for the purpose of generating reports at the direction of our law firm customers. We do not use customer data to train, retrain, or improve AI models, neither our own nor third-party models.
Transparency and Consent: We will implement explicit consent mechanisms for AI use if and when required by emerging AI laws.
No Automated Decision-Making: Our AI does not engage in automated decision-making that produces legal effects or similarly significant effects on individuals. The AI-generated outputs are summaries and data extraction to aid human decision-makers (e.g., attorneys); the Platform does not make final decisions about eligibility, compensation, or legal rights of any individual.
Biometrics: We do not intentionally collect or process biometric data (e.g., fingerprints, facial recognition data, or voiceprints). If biometric information is incidentally included in uploaded records (e.g., in medical imaging), it is processed only as part of the overall record analysis and subject to the same protections as other PHI/PII. We comply with applicable biometric privacy laws, as detailed in Section 10.
Risks and Safeguards: We recognize that transmitting data to any AI model carries potential risks (such as the risk of the data being retained by the AI provider or intercepted in transit). We mitigate these risks through strong encryption of data in transit, siloed processing (each customer’s data is processed separately and not combined), and contractual obligations with our AI provider (Microsoft Azure OpenAI) to prevent unauthorized use or retention of the data. Outputs (e.g., the summary reports) are owned by Kalinda and are provided to our customers for their use. These outputs consist of factual summaries, not considered intellectual property.
Compliance with AI Laws: We monitor and comply with emerging AI regulations, including state laws on high-risk AI systems (e.g., Colorado AI Act, which regulates algorithmic discrimination in AI decisions). No federal AI privacy law exists as of this date, but we adhere to best practices for transparency, fairness, and non-discrimination in AI use.
If you have concerns about AI processing, contact us at security@kalinda.ai.
10. U.S. State-Specific Privacy, Biometrics, and HIPAA-Related Laws
We operate in the United States and comply with state-specific laws in addition to federal requirements like HIPAA. Below is a list of key U.S. state laws related to comprehensive consumer privacy, biometrics, and health privacy (supplementing HIPAA) in effect as of October 2025. This list is not exhaustive and may evolve; we adjust our practices accordingly. We do not sell personal information or process data for targeted advertising, and we use sensitive personal information only as needed to provide our services (and not for any secondary purposes).
Comprehensive Consumer Privacy Laws
These laws generally regulate personal data collection, use, disclosure, and provide rights to individuals (such as rights to opt out of certain processing, access data, delete data, etc.). Many of these laws also define certain data (like health information or biometric identifiers) as “sensitive” and require additional protections or consents. Key examples include:
California: California Consumer Privacy Act (CCPA) as amended by California Privacy Rights Act (CPRA).
Virginia: Consumer Data Protection Act (VCDPA).
Colorado: Colorado Privacy Act (CPA).
Connecticut: Connecticut Data Privacy Act (CTDPA).
Utah: Utah Consumer Privacy Act (UCPA).
Iowa: Iowa Consumer Data Protection Act (ICDPA).
Indiana: Indiana Consumer Data Protection Act (INCDPA).
Oregon: Oregon Consumer Privacy Act (OCPA).
Texas: Texas Data Privacy and Security Act (TDPSA).
Montana: Montana Consumer Data Privacy Act (MCDPA).
Florida: Florida Digital Bill of Rights (limited to large companies).
Delaware: Delaware Personal Data Privacy Act (DPDPA).
New Jersey: New Jersey Data Privacy Act (NJDPA).
New Hampshire: New Hampshire Privacy Act.
Nebraska: Nebraska Data Privacy Act (NDPA).
Tennessee: Tennessee Information Protection Act (TIPA).
Minnesota: Minnesota Consumer Data Privacy Act (MCDPA).
Maryland: Maryland Online Data Privacy Act (MODPA).
We assess which laws apply based on factors like the state of residence of the individuals whose data we process and where our customers operate. Depending on your state, you may have rights to access, correct, delete, receive a portable copy, and appeal a decision.
· Requests: Submit via privacy@kalinda.ai. We will verify identity and respond within 45 days (with one permitted extension of 45 days).
· Appeals: You may appeal within 60 days; we will respond with reasons and how to contact your state AG if you disagree.
· Sensitive Data: We do not sell or share personal data, and we do not process biometric identifiers for identification. We do not conduct targeted advertising or profiling that produces legal or similarly significant effects.
· Consumer Health Data (CHD): If any processing falls outside HIPAA, we will comply with applicable CHD obligations.
Biometric Information Privacy Laws
We comply with biometric privacy laws wherever applicable, including but not limited to Illinois' Biometric Information Privacy Act (BIPA), Texas' Capture or Use of Biometric Identifier Act (CUBI), Washington's Biometric Data Law (RCW 19.375), and similar regulations in other jurisdictions. These laws govern the collection, use, storage, and disclosure of biometric data, and we ensure our practices meet requirements for consent, transparency, and data protection.
Health Privacy Laws Supplementing HIPAA
We also comply with state health privacy laws that supplement or exceed HIPAA where applicable. These include, for example: Washington’s My Health My Data Act (MHMDA), which regulates certain “consumer health data” not covered by HIPAA (such as wellness app data, geolocation related to health, and certain biometric health information); Nevada’s Consumer Health Data Privacy Law, which covers consumer health data outside of HIPAA; California’s Confidentiality of Medical Information Act (CMIA), which in some cases provides stricter protections than HIPAA for medical information held by certain entities; and health data provisions within the comprehensive privacy laws listed above (many of which impose special rules for handling health information). These laws impose additional requirements on health data handling, and we implement any enhanced safeguards or individual rights required by those laws. For example, some laws require opt-in consent before selling or sharing health-related information or provide stronger rights for consumers to delete health data — we will follow those requirements whenever applicable.
11. International Data Transfers
We operate solely in the United States, and all user data is stored and processed on servers located in U.S. data centers (primarily through AWS in the U.S.). We do not transfer personal data outside the U.S. If in the future we expand to international markets or need to transfer data internationally, we will do so in compliance with applicable data transfer laws (such as entering into EU Standard Contractual Clauses, if relevant).
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. If we make a material change, we will notify you via email or a prominent notice on the Platform at least 30 days before the changes take effect (or a longer period if required by law). We will also update the "Effective Date" at the top of the Policy. Your continued use of the Platform after any changes to this Privacy Policy become effective constitutes acceptance of the updated Policy.
13. Governing Law and Choice of Law
This Privacy Policy and any disputes arising out of or related to it or the Platform’s use of your information shall be governed by and construed in accordance with the laws of the State of Washington, USA, without regard to its conflict of laws principles. Any legal action or proceeding arising under this Privacy Policy will be brought exclusively in the federal or state courts located in the State of Washington, and by using the Platform you hereby irrevocably consent to the personal jurisdiction and venue of those courts. Notwithstanding the foregoing, if any applicable privacy law provides you with the right to file a complaint or claim in another forum or with a governmental authority (such as a state Attorney General or the FTC), this Privacy Policy does not limit your ability to do so.
14. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us at:
Kalinda Inc.
15947 NE 120th St.
Redmond, WA 98052
Email: security@kalinda.ai
Kalinda Inc. 2025