Privacy Policy

Effective Date: October 4, 2025

Kalinda Inc. ("Kalinda," "we," "us," or "our") is committed to protecting the privacy and security of personal information we collect, use, and process through our cloud-based AI platform (the "Platform"). The Platform helps mass tort law firms qualify potential cases by analyzing plaintiff records, generating reports, and providing a dashboard for case management. By using the Platform, you agree to the practices described in this Privacy Policy.

This Privacy Policy applies to all users of the Platform, including our customers (law firms) and any individuals whose personal information is contained in the records uploaded to the Platform (e.g., plaintiffs). It describes our privacy practices in accordance with applicable laws, including the Health Insurance Portability and Accountability Act ("HIPAA") and its implementing regulations, as we process Protected Health Information ("PHI") as a subcontractor Business Associate of our law firm customers. We also comply with applicable U.S. state privacy laws, biometric privacy laws, and health privacy laws that supplement HIPAA. For data that our law firm customers upload to the Platform, Kalinda acts as a "service provider" or processor, processing such data only on behalf of and at the direction of our customer. In those cases, the law firm is the data controller responsible for the data. When Kalinda collects personal information directly from users (for example, account registration or billing information), Kalinda is acting as a data controller (a "business" under state law) for that information.

If you have questions about this Privacy Policy, please contact us at security@kalinda.ai.

Definitions

For clarity and consistency, the following terms used in this Privacy Policy have the meanings set forth below:

• Business Associate: As defined under HIPAA (45 C.F.R. § 160.103), an entity that performs functions or activities on behalf of a covered entity involving the use or disclosure of PHI.
• Covered Entity: As defined under HIPAA (45 C.F.R. § 160.103), typically health plans, healthcare clearinghouses, or healthcare providers.
• Personal Information or PII (Personally Identifiable Information): Any information that identifies or can be used to identify a specific individual, such as names, addresses, email addresses, phone numbers, or other identifiers, as defined under applicable privacy laws (e.g., CCPA/CPRA).
• Protected Health Information or PHI: As defined under HIPAA (45 C.F.R. § 160.103), individually identifiable health information transmitted or maintained in any form or medium, including medical records, health status, or treatment details.
• Sensitive Data: Categories of personal information requiring heightened protection, such as health data, biometric information, data concerning minors, or education records, as defined under laws like CCPA/CPRA, MHMDA, or BIPA.
• Biometric Data: Unique biological or behavioral characteristics used for identification, such as fingerprints, facial geometry, voiceprints, or retina scans, as regulated under laws like BIPA or CCPA/CPRA.
• Telemetry Data: Usage and analytics data collected from the Platform, including interaction patterns and aggregated insights, which may not be fully anonymized.
• Service Providers: Third parties (e.g., AWS, Microsoft Azure OpenAI, Stripe) that assist us in providing the Platform, bound by confidentiality and security obligations.
• Platform: Our cloud-based AI service for processing plaintiff records, generating reports, and case management.

1. Information We Collect

We collect information to provide, maintain, and improve the Platform. The types of information we collect include:

Personal Information from Users

• Account and Contact Information: When you create an account or subscribe to the Platform, we collect your email address and other contact details you provide.
• Payment Information: We process payments through Stripe, a third-party payment processor. We do not store credit card numbers or other sensitive payment details on our servers; Stripe manages all payment processing and is compliant with the Payment Card Industry Data Security Standard ("PCI DSS").

Information from Customer Uploads

• Plaintiff Records: Our law firm customers upload records related to potential cases, which may include:
  • Names, addresses, email addresses, phone numbers, and other identifiers (Personally Identifiable Information or "PII").
  • Medical records, health information, and treatment details (Protected Health Information or "PHI" under HIPAA).
  • For certain lawsuits, this may include information about minors (intentionally for ages 13–18 and inadvertently for those under 13), education/school records, or other sensitive data.

We do not control what information customers upload, but we require customers, through our Terms of Service, to ensure uploads comply with applicable laws and their obligations to data subjects.

Usage and Technical Information

• Telemetry and Analytics: We collect usage data from the Platform (e.g., how often features are used, interaction patterns) to improve our services. This data may include aggregated insights from customer usage and is not fully de-identified (it may be linked to user accounts), but it does not include the contents of plaintiff records.
• Log Data: We automatically collect logs of system events such as successful and failed logins, security events, changes to configurations, and access to data. These logs help us monitor the Platform for security and performance.

We do not collect information from children under 13 intentionally, except inadvertently through customer uploads as described above. We do not engage in data mapping exercises yet but plan to implement them as part of our compliance efforts.

Cookies and Similar Technologies

We use cookies and similar technologies sparingly and only as necessary to operate our website and Platform effectively.

• Essential Cookies: Necessary for basic functionality such as session management and secure login.
• Analytics Cookies: We may use limited analytics cookies to collect aggregated, non-personal data about Platform usage. These do not identify individual users.
• Third-Party Cookies: Our third-party service providers (e.g., Stripe) may set cookies on our behalf. We do not use third-party advertising or tracking cookies.

We do not use cookies, pixels, tags, or beacons to track website interactions, capture IP addresses, or collect other personal information for marketing or profiling purposes. No sensitive personal data or PHI is stored in cookies or local storage.

You can manage or disable cookies through your browser settings. We do not respond to 'Do Not Track' signals as we do not engage in tracking. However, where required by applicable state law (e.g., CCPA/CPRA, CPA, CTDPA), we will recognize and process 'Universal Opt-Out Mechanisms' (UOM), such as the Global Privacy Control (GPC), as a valid request to opt out of the sale or sharing of personal information.

2. How We Use Information

• Providing the Platform: To process uploaded records, extract structured data points using AI (powered by Microsoft Azure OpenAI), generate reports, and maintain the dashboard for case viewing.
• Billing and Administration: To manage subscriptions and process payments via Stripe.
• Support and Maintenance: To respond to technical issues, troubleshoot access problems, and ensure Platform stability.
• Security and Compliance: To monitor access, detect unauthorized activity, and comply with legal obligations, including HIPAA and state privacy laws.
• Improvement: To analyze usage data for product enhancements. We never use customer data to train AI models.
• Legal and Safety: To protect against fraud, abuse, or illegal use of the Platform, and to respond to legal requests.

PHI is processed solely at the direction of our law firm customers for organizing, reviewing, and reporting on plaintiff records. We do not engage in automated decision-making that affects individuals. All uses are limited to providing the Service or resolving technical issues.

3. Sharing and Disclosure of Information

We do not sell, rent, or share personal information for marketing or cross-context behavioral advertising purposes. We share information only as necessary to provide the Platform and comply with laws:

• Service Providers: We may share personal information with trusted third parties such as AWS (cloud hosting), Microsoft Azure OpenAI (AI processing), and Stripe (payments). These providers are bound by confidentiality and security obligations, including Business Associate Agreements for PHI.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, personal information may be transferred, subject to equivalent protections.
• Legal Requirements: If required by law, regulation, or legal process, we may disclose information. We will only disclose what is legally required and will, when feasible, notify the affected customer in advance.
• With Consent: We may disclose personal information with your explicit consent or at the direction of our law firm customers.

Customer data is siloed; each customer's data is stored and processed in separate buckets or compute pools to prevent access by others. We never share customer data with other companies for their own purposes.

4. Data Security

We prioritize the security of personal information, including PHI, and implement administrative, technical, and physical safeguards appropriate to the data we handle. Our program includes:

• Encryption: All data is encrypted at rest and in transit using strong encryption standards.
• Access Controls: Role-based, least-privilege access; multi-factor authentication; centralized logging and continuous monitoring.
• Testing and Monitoring: Regular security testing (including penetration testing and vulnerability management), threat detection and prevention, firewalling and network segmentation, and routine, resilient backups.
• Incident Response: A documented incident response process covering detection, containment, investigation, remediation, and legally required notifications.
• Assurance: Controls are designed to meet applicable legal and industry standards (including the HIPAA Security Rule). We undergo independent assessments and can provide summary reports under NDA upon request.
• Secure Development & Data Handling: Secure software development lifecycle practices and restrictions that prevent storage of personal information in client-side local storage or cookies.

Although we implement robust measures, no system is impenetrable. In the event of a security incident involving PHI, we will notify affected customers in accordance with HIPAA requirements. For incidents involving personal information not subject to HIPAA, we will provide notifications as required under applicable state data breach notification laws.

5. Data Retention and Deletion

We retain personal information only as long as necessary to provide our services or fulfill legal obligations:

• Uploaded records and generated reports are retained until the customer requests deletion or upon termination of the agreement.
• Account and billing information is retained for 7 years post-termination for tax and audit purposes.
• Usage and security logs are retained for 1 year.

Customers can request deletion of their data directly through the Platform or by emailing security@kalinda.ai. Upon a verified deletion request, or upon termination of our services, we will delete (or, if requested, return) that customer's personal data within 30 days, except where a longer retention is required by law or necessary for legitimate business purposes.

6. Children's Privacy

The Platform is not intended for children under 13, and we do not knowingly collect personal information from children under 13 (consistent with COPPA) except when it may be included inadvertently through customer uploads for certain lawsuits. If we become aware that we have received personal information directly from a child under 13, we will delete it promptly. For data on minors aged 13–18 uploaded for specific lawsuits, we process it only as directed by our law firm customers and in compliance with applicable laws. We apply the same strict security measures to minors' data as we do to other data.

7. Your Rights and Choices

Depending on your location and applicable laws (e.g., HIPAA, CCPA/CPRA, and similar state laws), you may have certain rights regarding your personal information:

• Access: The right to know what personal information we maintain about you and to obtain a copy in a portable format.
• Correction: The right to request correction of inaccurate or outdated personal information.
• Deletion: The right to request deletion of your personal information (subject to certain exceptions).
• Opt-Out: The right to opt out of certain types of processing or sharing. We do not sell personal data or use it for targeted advertising.
• Data Portability: The right to receive your personal information in a structured, commonly used, and machine-readable format.

If your personal information is in records uploaded by a law firm customer, that law firm is responsible for fulfilling your privacy requests regarding that information. You may need to contact the law firm directly.

To exercise any applicable rights, contact us at security@kalinda.ai. We will respond to verifiable requests within 45 days, or sooner if required by law. If we need more time (up to an additional 45 days), we will inform you of the extension. If you disagree with our decision, you may appeal by contacting us again. We will not retaliate against you for exercising your privacy rights.

8. HIPAA Notice for Protected Health Information

As a subcontracted Business Associate under HIPAA, we abide by the following in handling PHI:

• Permitted Uses: We use or disclose PHI only as permitted by our Business Associate Agreement ("BAA") with our law firm customer or as required by law, solely to perform services for our customer.
• Minimum Necessary: We limit our use and disclosure of PHI to the minimum necessary to accomplish the intended purpose, as required by the HIPAA Privacy Rule.
• Safeguards: We implement administrative, physical, and technical safeguards for PHI in accordance with the HIPAA Security Rule (45 C.F.R. Parts 160 and 164).
• Breach Notification: In the event of a breach of unsecured PHI, we will notify the law firms without unreasonable delay and in no case later than 60 days after discovery, as required by 45 C.F.R. § 164.410.
• Subcontractors: Any subcontractor that may access PHI is also a Business Associate. We ensure such subcontractors sign BAAs or equivalent agreements.
• Individual Rights: We assist our covered entity customers as needed in fulfilling individual rights under HIPAA (e.g., providing individuals with copies of their records stored on our Platform).

A copy of our standard BAA is available upon request. This Privacy Policy supplements, but does not replace, the BAA.

9. Artificial Intelligence (AI) Use and Compliance

We use AI technologies to extract structured data points from uploaded medical and legal records, generating reports that summarize lawsuit-relevant information, powered by Microsoft Azure OpenAI.

• AI Processing: Uploaded data, including PHI and PII, is passed through AI models solely to generate reports at the direction of our law firm customers. We do not use customer data to train, retrain, or improve AI models.
• No Automated Decision-Making: Our AI does not engage in automated decision-making that produces legal effects or similarly significant effects on individuals. AI-generated outputs are summaries to aid human decision-makers; the Platform does not make final decisions about eligibility, compensation, or legal rights.
• Biometrics: We do not intentionally collect or process biometric data. If biometric information is incidentally included in uploaded records, it is processed only as part of the overall record analysis and subject to the same protections as other PHI/PII.
• Risks and Safeguards: We mitigate risks through strong encryption in transit, siloed processing, and contractual obligations with Microsoft Azure OpenAI to prevent unauthorized use or retention of data.
• Compliance with AI Laws: We monitor and comply with emerging AI regulations, including state laws on high-risk AI systems (e.g., Colorado AI Act).

If you have concerns about AI processing, contact us at security@kalinda.ai.

10. U.S. State-Specific Privacy, Biometrics, and HIPAA-Related Laws

We operate in the United States and comply with state-specific laws in addition to federal requirements like HIPAA. We do not sell personal information or process data for targeted advertising.

Comprehensive Consumer Privacy Laws

We comply with applicable state consumer privacy laws, including: CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), ICDPA (Iowa), INCDPA (Indiana), OCPA (Oregon), TDPSA (Texas), MCDPA (Montana), Florida Digital Bill of Rights, DPDPA (Delaware), NJDPA (New Jersey), New Hampshire Privacy Act, NDPA (Nebraska), TIPA (Tennessee), MCDPA (Minnesota), and MODPA (Maryland).

• Requests: Submit via privacy@kalinda.ai. We will verify identity and respond within 45 days (with one permitted extension of 45 days).
• Appeals: You may appeal within 60 days; we will respond with reasons and how to contact your state AG if you disagree.
• Sensitive Data: We do not sell or share personal data, do not process biometric identifiers for identification, and do not conduct targeted advertising or profiling.

Biometric Information Privacy Laws

We comply with biometric privacy laws wherever applicable, including Illinois' Biometric Information Privacy Act (BIPA), Texas' Capture or Use of Biometric Identifier Act (CUBI), Washington's Biometric Data Law (RCW 19.375), and similar regulations in other jurisdictions.

Health Privacy Laws Supplementing HIPAA

We also comply with state health privacy laws that supplement or exceed HIPAA where applicable, including Washington's My Health My Data Act (MHMDA), Nevada's Consumer Health Data Privacy Law, California's Confidentiality of Medical Information Act (CMIA), and health data provisions within the comprehensive privacy laws listed above.

11. International Data Transfers

We operate solely in the United States, and all user data is stored and processed on servers located in U.S. data centers (primarily through AWS in the U.S.). We do not transfer personal data outside the U.S. If in the future we expand to international markets, we will do so in compliance with applicable data transfer laws.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make a material change, we will notify you via email or a prominent notice on the Platform at least 30 days before the changes take effect. We will also update the "Effective Date" at the top of the Policy. Your continued use of the Platform after any changes become effective constitutes acceptance of the updated Policy.

13. Governing Law and Choice of Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of Washington, USA, without regard to its conflict of laws principles. Any legal action or proceeding arising under this Privacy Policy will be brought exclusively in the federal or state courts located in the State of Washington. This Privacy Policy does not limit your ability to file a complaint with a governmental authority (such as a state Attorney General or the FTC).

14. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us at: