Privacy Policy

Paradexo LLC, a Tennessee limited liability company (“Paradexo,” “we,” “us,” or “our”), operates ARCUS One. This Privacy Policy describes the information we collect, how we use it, and the choices you have regarding that information. This Policy applies to paradexo.com and to the ARCUS One application at app.paradexo.com (also reachable at arcus.paradexo.com).

Account information

When you create an account, we collect your name, email address, and password. Password handling is performed by our authentication provider, Clerk. Paradexo does not store plaintext passwords.

Profile information

Information you voluntarily provide during onboarding or in account settings, such as your role, organization, specialty, and custom AI instructions.

Billing information

Billing is handled by Stripe. Paradexo does not store full payment card numbers. We receive limited billing metadata from Stripe (such as the last four digits of the card, expiration month and year, and billing address) for the purpose of invoicing and account management.

Usage data

Prompts, conversations, documents you upload, and token consumption associated with your account.

Technical data

IP address, browser type, device information, and session timestamps. Collected to operate the Service and to support security, fraud prevention, and audit functions.

Protected Health Information

Any Protected Health Information (“PHI”) you upload to the Service is governed by the Business Associate Agreement between you and Paradexo.

We use the information we collect to:

• Provide, operate, and improve the Service.
• Process payments through our payment processor.
• Send service-related communications, including security alerts, billing notices, and important Service updates.
• Respond to support inquiries.
• Detect, prevent, and respond to abuse, fraud, and security incidents.
• Comply with legal and regulatory obligations.

We do not use your PHI or proprietary content to train AI models.

To deliver the Service, Paradexo engages the following subprocessors, each bound by data protection terms equivalent to or stricter than this Policy. Subprocessors that handle Protected Health Information are covered under signed Business Associate Agreements with Paradexo.

• Amazon Web Services— cloud infrastructure and AI model inference via Amazon Bedrock.
• Vercel— web hosting and content delivery.
• Neon— managed PostgreSQL database.
• Clerk— authentication and identity.
• Stripe— payment processing.

We may disclose your information outside the subprocessors listed above in the following circumstances:

• Legal compliance: to respond to subpoenas, court orders, regulatory requests, or other valid legal process.
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets, in which case any successor will be bound by this Policy with respect to your information.
• With your explicit consent.

We do not sell your personal information to third parties.

We maintain administrative, technical, and physical safeguards designed to protect information against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure. These safeguards include:

• Encryption of all data in transit using TLS 1.2 or higher.
• Encryption of all data at rest using AES-256.
• Access controls and authentication required for administrative and PHI-related access.
• Append-only audit logging of access and modifications to sensitive data.
• Periodic security review and penetration testing (planned).

We retain information for as long as needed to provide the Service and to satisfy our legal obligations.

• Account data: retained while your account is active and for 90 days after closure to support account recovery and dispute resolution.
• Protected Health Information: governed by the Business Associate Agreement and returned or destroyed upon termination of that agreement, in the manner specified by the BAA.
• Audit logs: retained for a minimum of 6 years to satisfy HIPAA recordkeeping requirements.
• Billing records: retained for 7 years to satisfy Tennessee tax requirements.

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• Access:download your data through Settings → Privacy → Export My Data.
• Correction: update your profile information through your account settings.
• Deletion: request deletion of your account and associated personal information by emailing support@paradexo.com. Some information may be retained as required by law, including PHI retention obligations and audit log requirements.
• Portability: export your account data in JSON format.
• Withdraw consent: cancel your subscription and request account closure at any time.

Protected Health Information uploaded by users to the Service is governed by the Business Associate Agreement between you and Paradexo. In the event of any conflict between this Privacy Policy and the BAA with respect to PHI, the BAA controls. Users are responsible for ensuring they have the appropriate legal authority to upload PHI to the Service for processing.

The Service is intended for use by adults working in healthcare. ARCUS One is not directed at children under the age of 18, and Paradexo does not knowingly collect personal information from individuals under 18. If you become aware that a minor has provided us with personal information, please contact support@paradexo.com so we can take appropriate action.

California residents (CCPA)

Residents of California have specific rights under the California Consumer Privacy Act, including the right to know what personal information is collected, the right to request deletion, the right to opt out of the sale of personal information (Paradexo does not sell personal information), and the right to non-discrimination for exercising these rights. To exercise these rights, contact support@paradexo.com.

Other states

Paradexo acknowledges and complies with applicable privacy rights granted under the laws of other United States jurisdictions. Contact us at support@paradexo.com for state-specific requests.

Paradexo operates from the United States. By using the Service, you understand that your information will be stored and processed in the United States, primarily in the AWS US East region. The data protection laws of the United States may differ from those of your country of residence.

We may update this Privacy Policy from time to time. Material changes will be communicated via email and an in-app notice at least 30 days before they take effect. The “Last updated” date at the top of this Policy reflects the most recent version. Continued use of the Service after material changes take effect constitutes acceptance of the updated Policy.

Questions about this Privacy Policy or our information practices may be directed to support@paradexo.com. Paradexo’s mailing address is available upon request via support@paradexo.com.