Legal
Cleryn LLC ("Cleryn," "we," "us," or "our") operates cleryn.ai and provides an AI-assisted compliance review platform for sleep diagnostic centers ("Services"). This Privacy Policy explains how we collect, use, store, and protect information in connection with the Services.
This policy applies to all users of the Services, including authorized staff at sleep diagnostic centers ("Customers") who access the platform on behalf of their organizations. It does not apply to information collected by third-party services linked from our platform.
Note on HIPAA. Cleryn acts as a Business Associate under HIPAA with respect to Protected Health Information ("PHI") submitted through the Services. Our obligations regarding PHI are governed primarily by the Business Associate Agreement ("BAA") executed with each Customer, and by HIPAA's Privacy and Security Rules. This Privacy Policy supplements — but does not replace — those obligations.
When you create an account or request access, we collect:
The core function of the Services requires Customers to upload physician documents (PDFs, scanned faxes, or images) that may contain PHI, including patient names, dates of service, diagnosis codes, and clinical notes. Uploaded documents are processed in memory solely to generate the compliance review described in the BAA and are never written to persistent storage. The resulting review report — which contains reduced identifiers and a one-way hashed patient name — is retained as described in Section 4.3.
AI analysis is performed using Claude models hosted within Google Cloud's Vertex AI service, under Cleryn's Google Cloud HIPAA Business Associate Agreement. PHI is not sent to any third-party AI provider outside Google Cloud. Cleryn does not use PHI to train, fine-tune, or improve AI models, for marketing purposes, or for any use outside the scope of the BAA.
We automatically collect certain technical information when you use the Services, including:
| Data type | How we use it |
|---|---|
| Account information | To manage your account, process payments, send service communications, and confirm coverage region eligibility |
| PHI in uploaded documents | Solely to perform the compliance review and return results to you — no other use |
| Review results | To display compliance reports to authorized users within your organization and to calculate usage for billing |
| Usage data | To monitor service performance, detect abuse, and improve the platform |
| Contact information from access requests | To follow up on access requests and notify you of regional availability |
We do not sell, rent, or share your personal information or PHI with third parties for their marketing purposes.
All data transmitted between your browser and Cleryn's servers is encrypted in transit using TLS 1.2 or higher. Uploaded documents are transmitted directly to Cleryn's processing service running on Google Cloud and are held in memory only for the duration of the review.
Raw uploaded documents are not written to persistent storage, so no copy of the original document exists at rest. Review results stored in Firestore are encrypted at rest by Google Cloud using AES-256.
| Data | Retention period | Deletion method |
|---|---|---|
| Raw uploaded documents (PHI) | Not retained — processed in memory only | Discarded automatically when the review request completes; never written to persistent storage |
| Compliance review results | 90 days from review date | Automatic TTL deletion via Firestore |
| Patient name within results | Stored as SHA-256 hash only — plain-text name exists only in the encrypted result payload | Deleted with review result at 90 days |
| Account and billing records | Duration of account plus 7 years | Manual deletion upon written request, subject to legal retention obligations |
| Usage logs | 90 days rolling | Automatic rotation |
Upon termination of your account, raw documents and review results are deleted according to the schedule above. Account information is retained for the period required by applicable law and our BAA obligations.
Cleryn uses the following sub-processors to provide the Services. Each sub-processor with access to PHI has executed appropriate data processing agreements.
| Provider | Purpose | PHI access | Agreement |
|---|---|---|---|
| Google Cloud | Infrastructure, database, authentication, compute, and AI inference via Vertex AI (Claude models hosted within Google Cloud) | Yes | Google Cloud HIPAA BAA (signed) |
| Stripe | Payment processing | No | Stripe standard DPA |
| Resend / Postmark | Transactional email | No | Standard DPA |
| Formspree | Access request form submission | No | Standard privacy terms |
We will notify you of any material changes to our sub-processor list that involve PHI access.
Cleryn uses Firebase Authentication, which sets a session cookie to maintain your logged-in state. We do not use third-party advertising trackers, pixels, or analytics services that share your data with third parties. We may use Google Cloud's built-in logging and monitoring for performance and error tracking, which does not include PHI.
Cleryn implements administrative, technical, and physical safeguards designed to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:
No system is perfectly secure. In the event of a breach involving your PHI, Cleryn will notify you as required under our BAA and applicable law.
Depending on your jurisdiction, you may have rights regarding your personal information, including the right to access, correct, or delete data we hold about you. To exercise these rights, contact us at contact@somniq.live.
Requests relating to PHI of your patients must be handled by you as the covered entity. Cleryn will assist you in fulfilling patient rights requests as required under the BAA.
The Services are intended for use by healthcare professionals and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children.
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by notice within the Services at least 14 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or our data practices, contact us at:
Cleryn LLC
2654 W Horizon Ridge Pkwy, Ste B5, PMB# 305
Henderson, NV 89052
contact@somniq.live