AccuRecord AI Privacy Policy

Effective Date: March 7, 2025 | Last Updated: March 7, 2025 | Governing Law: California

This Privacy Policy explains how AccuRecord AI, LLC (“AccuRecord AI,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information in connection with your use of our websites, applications, and services (collectively, the “Services”), including icd10codingpro.com and accurecord.io. By creating an account or using the Services, you agree to the practices described in this Privacy Policy. If you do not agree, do not use the Services.

1. Scope and PHI Boundary

1.1 This Privacy Policy covers all personal information AccuRecord AI collects in connection with the Services, including account and contact data, usage and device data, billing information, and — for customers under an executed Business Associate Agreement (“BAA”) — Protected Health Information (“PHI”) as defined under HIPAA.

1.2 PHI Boundary. AccuRecord AI applies two sets of PHI rules, depending on whether the account has an executed BAA in effect:

  • Accounts without an executed BAA (ICD-10 Coding Pro and all Free or reference-only tiers): PHI must not be entered, uploaded, or transmitted. These Services are not designed or configured to handle PHI under HIPAA without an executed BAA. If PHI is inadvertently submitted, AccuRecord AI may delete it without notice and is not liable for any regulatory consequences arising from unauthorized PHI submission.
  • Accounts with an executed BAA (ICD-10 Coding API Pro and Enterprise tiers, and the enterprise Platform): PHI is supported only on these BAA-eligible plans and only to the extent permitted by the applicable BAA and HIPAA. In the event of any conflict between this Privacy Policy and the BAA with respect to PHI, the BAA and HIPAA obligations control.

1.3 This Privacy Policy does not apply to third-party websites or services linked from our Services. AccuRecord AI is not responsible for the privacy practices of any third party.

2. Information We Collect

2.1 Information You Provide to Us

  • Account and contact information: name, email address, phone number (collected for anti-abuse and account verification only, not used for marketing), job title, and organization name.
  • Billing information: payment method details are processed and stored exclusively by Stripe. AccuRecord AI stores only your Stripe customer ID and subscription status. AccuRecord AI never has access to your full payment card number, CVV, or bank account details.
  • Support communications: messages, emails, or other communications you send to AccuRecord AI support.
  • Customer Content: data, text, files, and other content you submit to the Services, including coding queries, uploaded organization guidelines (Corporate plans), and AI Coding Guide messages. You must not submit PHI as Customer Content unless your account has an executed BAA in effect.

2.2 Information Collected Automatically

  • Usage data: pages visited, features used, search queries entered, codes looked up, session duration, and clickstream data.
  • Device and network information: IP address, browser type and version, operating system, device type, referring URLs, and time zone.
  • Cookies and similar technologies: see Section 8 for details.
  • Telemetry and performance metrics: application performance data, error logs, and system health metrics. AccuRecord AI applies PII redaction to telemetry data before export to any monitoring system. AI chat messages are not included in telemetry logs.

2.3 PHI (Customers with an Executed BAA Only)

If your account has an executed BAA in effect (on the ICD-10 Coding API Pro or Enterprise tiers, or the enterprise Platform), you may submit PHI to AccuRecord AI as permitted by that BAA. AccuRecord AI uses and discloses PHI only as required to provide the Services to you and as permitted under the BAA and HIPAA. PHI is never used to train AI models, and is subject to the retention and destruction obligations set forth in your BAA.

3. How We Use Your Information

AccuRecord AI uses the information it collects for the following purposes:

  • Providing and operating the Services: authenticating your account, processing subscriptions, delivering AI Coding Guide responses, and enabling all product features.
  • Account management and billing: processing payments via Stripe, managing subscription status, issuing receipts, and handling trial and renewal cycles.
  • Customer support: responding to your inquiries, diagnosing technical issues, and resolving disputes.
  • Security and fraud prevention: detecting and preventing unauthorized access, abuse, fraud, and other harmful activity; phone numbers collected at signup are used solely for anti-abuse verification (e.g., OTP via Twilio) and are not used for marketing.
  • Product improvement: analyzing de-identified and aggregated usage data to improve features, performance, and user experience. PHI is never used for product improvement except as expressly permitted by your BAA.
  • Legal compliance: complying with applicable laws, regulations, court orders, and government requests; enforcing AccuRecord AI’s Terms of Service and other agreements.
  • Communications: sending transactional emails (account confirmations, payment receipts, password resets). AccuRecord AI does not send marketing emails unless you have opted in. You may opt out of any marketing communications at any time by emailing [email protected] or clicking unsubscribe.

4. How We Share Your Information

AccuRecord AI does not sell your personal information. We do not share personal information for cross-context behavioral advertising. We may share information in the following limited circumstances:

  • Service providers and subprocessors: AccuRecord AI shares information with third-party vendors who provide infrastructure, payment processing, authentication, monitoring, and communication services on our behalf. All subprocessors are bound by data processing agreements that restrict their use of your data to the purposes for which it was shared. See Section 5 for the current subprocessor list.
  • Corporate account administrators: If you use the Services under a Corporate account, your organization’s designated administrators may have access to your account activity and usage data within the organization’s workspace.
  • Legal compliance and protection: AccuRecord AI may disclose information when required by law, subpoena, court order, or other legal process; to protect the rights, property, or safety of AccuRecord AI, its users, or the public; or to detect or prevent fraud or security incidents.
  • Business transactions: If AccuRecord AI is involved in a merger, acquisition, asset sale, or other corporate transaction, personal information may be transferred to the successor entity, subject to confidentiality obligations. Affected users will be notified as required by applicable law.
  • De-identified and aggregated data: AccuRecord AI may share de-identified or aggregated data that cannot reasonably be used to identify any individual, for analytics, research, or business purposes.
  • With your consent: AccuRecord AI may share your information for any other purpose with your explicit consent.

5. Subprocessors

AccuRecord AI uses the following primary subprocessors that may process personal information or Customer Content on AccuRecord AI’s behalf. All subprocessors are under contract with appropriate data protection obligations. AccuRecord AI will provide at least thirty (30) days’ advance notice before adding or replacing a subprocessor that processes Customer Content (except in urgent security circumstances).

Subprocessor Purpose Data Processed Location
Microsoft Azure Cloud infrastructure, AI inference (Azure AI Foundry), telemetry, blob storage, key vault, transactional email (Azure Communication Services) Customer Content (AI session only), org guidelines, usage telemetry (PII-redacted) United States
Cloudflare CDN, DNS, DDoS protection, and edge security/WAF for accurecord.io Network metadata and IP addresses. No PHI. No request bodies stored. Global (edge)
OpenAI API (via Azure OpenAI) Language model inference for AI Coding Guide; vector embeddings for org guidelines AI chat messages (session only, not stored); PDF text embeddings United States
Stripe Payment processing, subscription billing, customer portal Email address, subscription status, Stripe customer ID. No PHI. Full card data handled exclusively by Stripe. United States
Twilio Verify SMS OTP for account verification and anti-abuse Phone number (E.164) for OTP only. Not linked to PHI. United States
Google / Microsoft OAuth Federated user authentication OAuth identity tokens. No PHI transmitted. United States

6. AI Data Handling

6.1 AI Chat Messages. Messages you submit to the AI Coding Guide are transmitted to HIPAA-eligible AI infrastructure (Microsoft Azure AI Foundry and/or OpenAI API via Azure OpenAI) solely to generate a coding guidance response. These messages are:

  • Not stored, retained, or logged by AccuRecord AI beyond the duration of the active session required to generate a response.
  • Not used to train, fine-tune, retrain, benchmark, or otherwise improve any AI model operated by AccuRecord AI or any third-party AI provider.
  • Transmitted exclusively over TLS 1.2+ encrypted connections to HIPAA-eligible cloud infrastructure in the United States.
  • Processed under Business Associate Agreements that AccuRecord AI has executed (or will execute prior to processing PHI) with Microsoft Azure and OpenAI as required sub-processors.

6.2 Org-Uploaded Guidelines. Corporate Pro + AI subscribers may upload organization-specific coding guidelines (PDFs). These documents are stored in encrypted blob storage (Microsoft Azure) and used solely to generate AI coding guidance within your organization’s account. They are not shared with other organizations or used to train any AI model.

6.3 Embeddings. Text extracted from uploaded guideline PDFs may be converted into vector embeddings for semantic search and AI retrieval. These embeddings are stored in your organization’s isolated vector store and are deleted upon account termination.

7. Data Retention

AccuRecord AI retains personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by applicable law. Specific retention periods are as follows:

  • Account information: Duration of active account plus three (3) years following account closure, or as required for legal compliance.
  • AI chat messages: Not retained beyond the active session. No persistent storage.
  • Usage logs and telemetry: Detailed logs retained for ninety (90) days; aggregated, de-identified analytics retained indefinitely.
  • Uploaded guidelines (Corporate): Retained for the duration of the Corporate subscription. Deleted within thirty (30) days of account termination unless earlier deletion is requested.
  • Support communications: Three (3) years following resolution.
  • Billing records: Seven (7) years for tax and legal compliance purposes, as required by applicable law.
  • Marketing preferences: Until you opt out or close your account.
  • Enterprise PHI: As specified in your BAA, typically returned or destroyed within thirty (30) days of BAA termination, unless legally required to retain.

Upon account deletion, AccuRecord AI will delete or de-identify your personal information within thirty (30) days, subject to the above retention periods and any legal holds.

8. Cookies and Tracking Technologies

8.1 AccuRecord AI uses the following categories of cookies and similar technologies on its websites:

  • Essential cookies: Required for the Services to function, including session management, authentication tokens, and security. Cannot be disabled.
  • Preference cookies: Store non-essential settings such as your theme preference. May be disabled through your browser.

AccuRecord AI does not use third-party analytics, advertising, or cross-site tracking cookies (for example, Google Analytics or Azure Application Insights), and does not load any third-party tracking scripts. The cookies we set are first-party only. See the Cookie Policy for the full inventory.

8.2 You may manage or disable non-essential cookies through your browser settings. Disabling essential cookies may impair your ability to use the Services.

8.3 AccuRecord AI’s websites do not currently respond to “Do Not Track” signals from browsers, as there is no industry-standard definition of what such signals require. AccuRecord AI does not engage in cross-site tracking or sell data to advertisers.

9. Data Security

9.1 AccuRecord AI implements commercially reasonable administrative, physical, and technical safeguards to protect personal information against unauthorized access, disclosure, alteration, and destruction. These safeguards include:

  • Encryption in transit: TLS 1.2 or higher for all data transmitted between your browser and AccuRecord AI’s servers.
  • Encryption at rest: AES-256 encryption for stored Customer Content and account data.
  • Access controls: OAuth 2.0 and JWT-based authentication; role-based access controls limiting employee access to personal information on a need-to-know basis.
  • Audit logging: Application-level audit logs with PII redaction before export to telemetry or monitoring systems.
  • Infrastructure security: HIPAA-eligible cloud infrastructure operated by Microsoft Azure with physical security controls, availability SLAs, and independent security certifications (SOC 2, ISO 27001).
  • Incident response: Formal security incident response procedures with defined breach notification timelines consistent with the BAA and applicable law.

9.2 No security system is completely impenetrable. AccuRecord AI cannot guarantee that unauthorized third parties will never be able to defeat its security measures. In the event of a data breach affecting your personal information, AccuRecord AI will notify you as required by applicable law.

10. International Data Transfers

10.1 AccuRecord AI, LLC is based in the United States. If you access the Services from outside the United States, your personal information may be transferred to, stored, and processed in the United States or other countries where AccuRecord AI’s service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

10.2 For transfers of personal information from the European Economic Area (EEA), United Kingdom (UK), or Switzerland to the United States, AccuRecord AI relies on lawful transfer mechanisms, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other mechanisms recognized under applicable data protection law.

10.3 By using the Services, you acknowledge and consent to the transfer of your personal information to the United States and other jurisdictions as described in this Privacy Policy.

11. Children’s Privacy

The Services are not directed to individuals under the age of eighteen (18). AccuRecord AI does not knowingly collect personal information from children under 18. If AccuRecord AI becomes aware that it has collected personal information from a child under 18, it will take prompt steps to delete that information. If you believe AccuRecord AI has collected information from a child under 18, please contact us at [email protected].

12. Your Rights and Choices

12.1 General Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

  • Access: Request a copy of the personal information AccuRecord AI holds about you. A GDPR data export is available at accurecord.io/profile/export.
  • Correction: Request correction of inaccurate or incomplete personal information.
  • Deletion: Request deletion of your personal information, subject to legal retention requirements. Contact [email protected] to request account deletion.
  • Portability: Request a copy of your personal information in a structured, machine-readable format.
  • Opt-out of marketing: Unsubscribe from marketing communications at any time via the unsubscribe link in any email or by contacting us.

To exercise any of these rights, contact AccuRecord AI at [email protected]. AccuRecord AI will respond within thirty (30) days, or as otherwise required by applicable law. AccuRecord AI may need to verify your identity before processing your request.

12.2 California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you, the sources, the business or commercial purpose, and the categories of third parties with whom it is shared.
  • Right to Delete: Request deletion of personal information collected from you, subject to certain exceptions (e.g., legal compliance, completing a transaction).
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: AccuRecord AI does not sell your personal information and does not share it for cross-context behavioral advertising. No opt-out is required.
  • Right to Limit Use of Sensitive Personal Information: AccuRecord AI uses sensitive personal information only for purposes permitted under CCPA, including providing the Services.
  • Right to Non-Discrimination: AccuRecord AI will not discriminate against you for exercising your CCPA rights.

Categories of personal information collected in the past 12 months: identifiers (name, email, phone, IP address); commercial information (subscription history, billing records); internet/network activity (usage logs, device information); professional information (job title, organization); and inferences drawn from the above for security and fraud prevention purposes.

To submit a CCPA request: email [email protected] with subject line “CCPA Request,” or call 612-845-3432. You may designate an authorized agent to make a request on your behalf; AccuRecord AI may require verification of your identity and the agent’s authority before processing the request.

  • About us

    • 12.3 EEA / UK / Swiss Residents (GDPR)

    If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal information is processed under the General Data Protection Regulation (GDPR) or equivalent law. AccuRecord AI processes your personal information on the following legal bases:

    • Performance of a contract: processing necessary to provide the Services you have subscribed to.
    • Legitimate interests: fraud prevention, security monitoring, product improvement (de-identified), and enforcing AccuRecord AI’s terms.
    • Legal obligation: compliance with applicable laws and regulations.
    • Consent: for any marketing communications (where required).

    In addition to the rights in Section 12.1, EEA/UK/Swiss residents have the right to object to processing based on legitimate interests, and the right to lodge a complaint with a supervisory authority in your jurisdiction. To exercise your GDPR rights, contact [email protected].

    13. Modifications to This Policy

    AccuRecord AI reserves the right to modify this Privacy Policy at any time. If AccuRecord AI makes material changes, it will provide notice by: (a) posting the updated Privacy Policy on the applicable website with an updated “Last Updated” date; and (b) sending notice to your registered email address at least thirty (30) days before material changes take effect. Your continued use of the Services after the effective date of any modification constitutes your acceptance of the updated Privacy Policy. If you do not agree to modified terms, you must stop using the Services and close your account before the effective date.

    14. Contact Information

    For questions, concerns, or requests regarding this Privacy Policy or AccuRecord AI’s data practices:

    Company: AccuRecord AI, LLC
    Privacy / Support: [email protected]
    Legal: [email protected]
    Website: accurecord.io
    Mailing Address: 309 Old County Rd Apt 246, Belmont, CA 94002, USA
    Phone (CCPA requests): 612-845-3432

    © 2025 AccuRecord AI, LLC. All rights reserved.