Privacy Policy

Hando is a research-stage clinical-AI infrastructure platform. This Privacy Policy describes how Hando collects, uses, and shares information in connection with the Service. Hando is operated by the entity identified on the order form or master agreement.

This policy does not apply to data processed under a fully executed Business Associate Agreement (“BAA”); such data is governed by the BAA, the HIPAA Privacy and Security Rules, and the underlying customer agreement.

• Account information: name, work email address, organization, and role assigned by your organization OWNER.
• Authentication telemetry: magic-link sign-in events, session timestamps, IP addresses associated with sign-in.
• Usage telemetry: anonymized API request counts, latency metrics, error rates, model selection, and per-organization budget usage.
• Audit log entries: structured records of clinical read/write events (who, what, when) per the Security page.
• Optional clinical content: handoff text, audio recordings, and derived annotations submitted by Customer users. Only collected when a BAA is in effect and clinical mode is enabled.

By default, every Hando deployment runs with clinical_mode=False. In this configuration the platform is exercised against synthetic and deidentified data only, and submission of Protected Health Information (“PHI”) is contractually prohibited.

For deployments that require PHI processing, clinical mode must be explicitly enabled by Hando after a BAA has been executed with Customer and with every sub-processor on the clinical path. See the Security page for the data-architecture, redaction, and audit-logging guarantees that apply when clinical mode is on.

Hando relies on the following sub-processors. Vendors marked as BAA-eligible must have a BAA executed before any PHI flows; vendors not BAA-eligible are disabled when clinical mode is on (per E001).

• Anthropic — primary LLM provider; BAA required for clinical mode.
• Cloudflare R2 — object storage (audio, exports); BAA-eligible.
• Neon — managed Postgres; BAA-eligible.
• Deepgram — speech-to-text for audio handoffs; BAA-eligible.
• OpenAI — optional secondary LLM provider; BAA required for clinical mode.
• Together AI — optional open-weights LLM provider; BAA-eligible if used in clinical mode.
• Langfuse — observability and tracing. Not BAA-covered; automatically disabled when clinical mode is enabled per E001.

The current execution status of each vendor BAA is published on the Security page.

Account information is retained for the duration of your organization's relationship with Hando plus a reasonable period for billing and audit. Audit log entries are retained per the contractual retention term (default seven (7) years for HIPAA-aligned deployments).

Clinical content is retained per the Customer's configured retention policy. A scheduled retention job (tracked internally as E025) will enforce automatic purge of expired data; until that job lands, retention is enforced operationally.

Subject to applicable law, you may:

• Access account information through your organization OWNER.
• Request correction of inaccurate account information.
• Request deletion of your account; OWNER-level approval may be required.
• Export audit log entries in CSV form (OWNER role only).

Self-service access, deletion, and portability tooling for clinical content is on the roadmap; until then, requests are handled operationally by Hando staff. (Placeholder pending implementation.)

Hando uses a single first-party session cookie set by NextAuth to keep you signed in. We do not use third-party advertising or analytics cookies on the application surface. Marketing pages may use minimal first-party telemetry to measure aggregate page views.

The Service is intended for licensed clinicians and clinical-research staff. The Service is not directed at, nor intended for use by, individuals under the age of 18, and Hando does not knowingly collect personal information from children.

Privacy questions, including requests under applicable data-protection laws, may be directed to (privacy contact email placeholder — to be set by counsel).