Privacy Policy
1. About This Policy
Cloud Anesthesia Solutions, LLC ("Cloud Anesthesia," "we," "us," or "our") provides a software-as-a-service application for operating-room and anesthesia case scheduling (the "Service"). This Privacy Policy explains how we collect, use, share, and protect personal information when you:
- Visit our marketing website at https://cloud-anesthesia.com (the "Website");
- Use the Service at https://app.cloud-anesthesia.com or any tenant-specific subdomain (e.g.,
*.app.cloud-anesthesia.com); - Contact us through any communication channel (email, phone, support form, etc.).
This Policy applies to personal information about:
- Visitors to the Website who have not signed in;
- Authorized Users of the Service (typically anesthesiologists, CRNAs, schedulers, administrators, and other staff of customer practices);
- Business contacts at prospective or current customer organizations.
1.1 What This Policy Does NOT Cover
- Patient Protected Health Information ("PHI"). When the Service processes PHI on behalf of a healthcare customer ("Covered Entity"), Cloud Anesthesia acts as a business associate under HIPAA, and that PHI is governed by the Business Associate Agreement (BAA) between Cloud Anesthesia and the Covered Entity, not by this Privacy Policy. If you are a patient seeking access to or correction of your medical information, please contact your healthcare provider directly.
- Third-party websites or services linked from the Website or the Service. Those services have their own privacy policies.
- Practice-specific privacy practices of our customers. If you are an employee or staff member of one of our customer practices, your employer's privacy practices govern how your employer collects and uses your information.
2. Information We Collect
2.1 Information You Provide to Us
- Account Information (Authorized Users): name, work email address, role/title, employer (practice or hospital), password (stored as a salted hash), preferences, and similar information necessary to provision a user account.
- Communications: information you send to us through contact forms, email, support tickets, or phone calls (e.g., your name, email, message contents, and any attachments).
- Business Contact Information (prospective customers): name, title, organization, work email, work phone, and any information you provide during sales or onboarding conversations.
2.2 Information Collected Automatically
When you use the Website or the Service, we automatically collect:
- Log Data: IP address, browser type and version, operating system, referring URL, pages visited, timestamps, and similar technical information.
- Session Data: a session cookie used to keep you signed in to the Service.
- Audit Records (Service only): records of actions you take in the Service (e.g., logins, schedule publications, configuration changes), retained to satisfy HIPAA's audit log requirements at 45 C.F.R. §164.312(b).
- Device Information: where applicable, device identifiers, screen size, and similar diagnostic information.
The Website does not currently use third-party analytics, advertising trackers, social-media pixels, or marketing cookies. We may add a single first-party analytics tool (e.g., self-hosted Plausible or similar privacy-respecting analytics) in the future; if we do, this Policy will be updated and notice will be provided.
2.3 Information from Third Parties
We may receive limited information about you from:
- Your employer (a Covered Entity), when you are provisioned as an Authorized User of the Service.
- Identity verification or anti-fraud services, if applicable.
- Public sources, such as professional networking sites or your practice's public website, in the course of sales and customer-relationship activities.
2.4 We Do Not Knowingly Collect Children's Information
The Service and the Website are not directed to children under thirteen (13), and we do not knowingly collect personal information from children under thirteen (13). If you believe we have collected such information, please contact us at the address in §11.
2.5 Data Minimization
We collect and retain only the personal information reasonably necessary to provide and operate the Service, communicate with you, maintain security, comply with legal obligations, and pursue the other purposes described in §3. We do not request, collect, or retain personal information that is not reasonably needed for these purposes, and we periodically review our collection and retention practices to confirm they remain appropriate.
3. How We Use Personal Information
We use personal information to:
- Provide and operate the Service: authenticate Authorized Users, route requests to the correct tenant, display the Service, and process the inputs you provide.
- Communicate with you: respond to inquiries, provide customer support, send service-related notices (e.g., security alerts, scheduled maintenance, policy updates), and provide invoices.
- Maintain security and prevent fraud: detect, investigate, and respond to suspicious activity, abuse, security incidents, and policy violations; maintain audit logs.
- Improve the Service: analyze usage patterns, fix bugs, and develop new features. Where we use de-identified or aggregated data for these purposes, it is no longer personal information.
- Comply with legal obligations: respond to lawful requests from regulators, courts, and law enforcement, and meet HIPAA, tax, and other regulatory requirements.
- Enforce our agreements: enforce the Terms of Service, the BAA, and other contracts; defend or pursue legal claims.
- Marketing (business contacts only): send occasional updates about Cloud Anesthesia features, blog posts, and product news to business contacts. You may opt out of marketing emails at any time using the unsubscribe link or by contacting us.
We will not use Authorized User personal information for advertising, profiling for behavioral advertising, or sale to third parties.
3.1 Automated Processing and Algorithmic Suggestions
The Service may include automated, rule-based, statistical, or algorithmic features that generate scheduling suggestions, case-assignment recommendations, fatigue or workload alerts, and similar workflow aids ("Algorithmic Outputs"). Algorithmic Outputs are non-clinical operational tools intended to support administrative decision-making by your employer's authorized personnel (e.g., a boardrunner or scheduling administrator), who reviews and either accepts, modifies, or rejects each suggestion before it takes effect.
We do not use Algorithmic Outputs to make legally significant decisions about you without meaningful human review. Algorithmic Outputs are not medical advice, clinical decision support, or substitutes for professional clinical judgment. Where required by applicable law (including California's Automated Decision-Making Technology regulations), you may request information about the logic, intended use, and potential impact of Algorithmic Outputs that significantly affect you by contacting us at the address in §11. We will respond to such requests in accordance with applicable law.
3.2 Annual Review
We review this Privacy Policy and our underlying privacy practices at least annually, and update both as needed to reflect changes in our operations, technology, legal obligations, and industry guidance.
4. How We Share Personal Information
We share personal information in the following limited circumstances:
4.1 With Your Employer (Covered Entity)
If you are an Authorized User, your employer (the customer practice) has full visibility into your activity in the Service — including the audit log entries we maintain on its behalf — because your employer controls its instance of the Service.
4.2 With Service Providers (Subprocessors)
We engage third-party service providers to help us deliver the Service. Subprocessors process personal information only on our documented instructions and under written agreements that obligate them to protect the information. Our current subprocessors are listed at https://cloud-anesthesia.com/subprocessors. Subprocessors with access to PHI are also listed in Appendix B of our BAA.
4.3 In Connection with Legal Process
We may disclose personal information when we believe in good faith that disclosure is required by law, including in response to subpoenas, court orders, and other legal process; to comply with regulatory obligations; or to protect the rights, property, or safety of Cloud Anesthesia, our customers, or others. Where legally permissible, we will give you advance notice and an opportunity to challenge the request.
4.4 In Connection with a Business Transaction
If Cloud Anesthesia is involved in a merger, acquisition, financing, or sale of all or substantially all of its assets, personal information may be transferred as part of that transaction, subject to the protections of this Policy or a successor policy that is at least as protective.
4.5 With Your Direction
We may share personal information when you direct us to do so, for example, when you authorize an integration with a third-party tool.
4.6 De-identified and Aggregated Data
We may share de-identified or aggregated information (data that does not identify and cannot reasonably be used to identify an individual) for any lawful purpose, including industry benchmarks, research, and analytics. We will not attempt to re-identify such information.
4.7 We Do Not Sell or Share Personal Information
We do not sell personal information, and we have not sold personal information in the preceding twelve (12) months, in either case as "sale" is defined under the California Consumer Privacy Act ("CCPA") or other applicable law. We do not "share" personal information for cross-context behavioral advertising as that term is used in the California Privacy Rights Act ("CPRA"). Because we neither sell nor share personal information, no opt-out is required to prevent these activities — there is nothing to opt out of. We will not begin selling or sharing personal information without first updating this Policy, providing reasonable advance notice, and (where applicable) offering an effective opt-out mechanism.
5. Cookies and Similar Technologies
We use a small number of strictly necessary cookies:
- Session cookie (named
session): set when you sign in to the Service to keep you signed in. It isHttpOnlyandSameSite=Strict, and is deleted when you sign out or when the session expires.
The Website may set a cookie to remember non-essential preferences (e.g., dark mode) if such features are added. We do not use third-party advertising cookies, social-media tracking pixels, or cross-site analytics cookies.
You can control cookies through your browser settings. Note that disabling the session cookie will prevent you from using the Service.
6. Security
We maintain administrative, physical, and technical safeguards reasonably designed to protect personal information against unauthorized access, use, disclosure, alteration, or destruction, including encryption in transit (TLS 1.2+), encryption at rest where commercially reasonable, role-based access controls, audit logging, tenant isolation, vulnerability management, and workforce training. Our security practices are described in more detail in our BAA §4 and Terms of Service §7.
No security program can guarantee absolute security. If we become aware of a security incident affecting your personal information, we will notify you in accordance with applicable law — typically within thirty (30) to sixty (60) days of discovery depending on jurisdiction, and in no event later than the maximum period required by the applicable state breach-notification statute (and, for PHI, by HIPAA's Breach Notification Rule at 45 C.F.R. §164.400 et seq.). If you are an Authorized User of a customer practice, notification will follow the breach-notification provisions of the BAA between us and your employer, which may direct notice through your employer rather than directly to you.
7. Data Retention
We retain personal information for as long as needed to provide the Service and for the following periods after the end of your use of the Service:
- Account information: retained for the life of your employer's subscription; deleted within sixty (60) days after the close of the Export Window described in the Terms of Service §6.5, subject to backup expiration on the normal rotation.
- Audit records: retained for a minimum of six (6) years to satisfy HIPAA's audit log retention requirement at 45 C.F.R. §164.316(b)(2)(i).
- Communications and support records: retained for as long as reasonably necessary to provide support, resolve disputes, and comply with our legal obligations (typically not more than three (3) years after the last interaction, unless retention is required by law).
- Backups: subject to a rotation not to exceed twelve (12) months.
When we no longer need personal information for a permitted purpose, we will delete it or de-identify it.
8. Your Privacy Rights
Depending on where you live, you may have certain rights regarding your personal information. Cloud Anesthesia honors the following rights for all U.S. residents, whether or not your state's law requires it:
- Right to know / access: request a copy of the personal information we hold about you.
- Right to correct: request that we correct inaccurate or incomplete personal information.
- Right to delete: request that we delete personal information we hold about you, subject to legal exceptions (e.g., we must retain audit records to comply with HIPAA).
- Right to data portability: request a copy of your personal information in a structured, machine-readable format.
- Right to opt out of marketing: opt out of marketing communications at any time.
- Right to non-discrimination: we will not discriminate against you for exercising any of these rights.
8.1 How to Exercise Your Rights
To exercise any of these rights, please email privacy@cloud-anesthesia.com or submit a request to the address in §11. We may need to verify your identity before responding. We will respond to verifiable requests within forty-five (45) days, or such shorter time as applicable law requires.
8.2 Important Limitation for Authorized Users
If you are an Authorized User of the Service, much of the information we hold about you was collected from or on behalf of your employer (the Covered Entity). For requests relating to that information — particularly requests to delete account information or audit records — we may direct you to your employer, who controls the relevant data in its instance of the Service. We will inform you when this is the case and assist your request to the extent operationally feasible. By way of example, even where your employer is the controller of the data, we may: (a) confirm to you the categories of information we hold about you; (b) provide log or audit excerpts to your employer at its direction; (c) correct factual inaccuracies in your account profile (e.g., name spelling, contact email) directly upon your request, with notice to your employer; and (d) coordinate with your employer to facilitate access or deletion where the employer authorizes it.
8.3 Patient Information
If you are a patient and wish to exercise rights with respect to your medical information stored in the Service on behalf of a healthcare provider, please contact your provider directly. HIPAA gives you specific rights, including the right to access and amend your medical records, which you generally must exercise through your provider.
8.4 California Residents (CCPA / CPRA)
In addition to the rights described above, California residents have the right to receive certain disclosures about the categories of personal information we collect, the purposes for which we collect it, and the categories of third parties with whom we share it. As of the Effective Date:
| Category of Personal Information (Cal. Civ. Code §1798.140) | Collected? | Purposes |
|---|---|---|
| Identifiers (name, email, IP address) | Yes | Provide and operate the Service; security; communications |
| Customer records (Cal. Civ. Code §1798.80(e)) | Yes | Provide and operate the Service; billing |
| Commercial information | Limited | Billing |
| Internet/network activity (logs, audit records) | Yes | Security; operations; HIPAA audit log |
| Geolocation (precise) | No | — |
| Sensory data (audio, video, biometric) | No | — |
| Professional/employment information | Yes | Role-based access; sales |
| Education information | No | — |
| Inferences | No | — |
| Sensitive personal information (CPRA) | Limited — account credentials (treated as such) | Authentication only |
We retain personal information as described in §7. We do not sell or share personal information for cross-context behavioral advertising (§4.7). California residents may exercise their CCPA/CPRA rights as described in §8.1.
Right to Limit Use of Sensitive Personal Information. Under Cal. Civ. Code §1798.121, California residents may request that we limit the use and disclosure of "sensitive personal information" (as defined by the CPRA, which includes account log-in credentials in combination with credentials that permit access) to use reasonably necessary to provide the Service or as otherwise permitted by §1798.121(a). We use sensitive personal information only for those permitted purposes; we do not use it to infer characteristics about you, build profiles, or for any purpose outside §1798.121(a). To request that we further limit use of your sensitive personal information, contact us at the address in §8.1.
Notice at Collection. A short Notice at Collection summarizing the categories of personal information collected, purposes of collection, retention periods, and a link to this Policy is presented at or before the point of collection (for example, on the Service's login and account-creation pages and on Website contact forms). The current Notice at Collection is available at https://cloud-anesthesia.com/notice-at-collection.
8.5 California Confidentiality of Medical Information Act (CMIA)
Where the Service processes medical information of California residents on behalf of a Covered Entity, that information is governed by the California Confidentiality of Medical Information Act (Cal. Civ. Code §56 et seq.) and HIPAA. If California law provides greater protection than HIPAA, we will apply the greater protection as to those California residents' information. See the BAA §13.8 for additional detail.
8.6 Other State Laws
Residents of Colorado, Connecticut, Virginia, Utah, and other states with comprehensive consumer-privacy laws have rights similar to those described above. We honor those rights for all U.S. residents under §8.
8.7 Authorized Agents
You may designate an authorized agent to make a privacy request on your behalf. We may require verification of the agent's authority before processing the request.
9. International Users
The Service is operated from the United States and is intended for use by healthcare practices in the United States. Personal information we collect is stored and processed in the United States. If you access the Website or the Service from outside the United States, please be aware that your information will be transferred to, stored in, and processed in the United States, where data-protection laws may differ from those in your country.
We do not currently offer the Service to customers outside the United States. We do not transfer PHI outside the United States (see BAA §4.7).
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. Material changes will be effective no earlier than thirty (30) days after we post the updated Policy on the Website or notify Authorized Users by email or in-Service notice. The "Last Updated" date at the top of this Policy indicates when it was last revised. Your continued use of the Service or the Website after the effective date of the updated Policy constitutes acceptance.
11. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact:
Cloud Anesthesia Solutions, LLC Attn: Privacy Officer Contact us at legal@cloud-anesthesia.com for our current mailing address. Email: privacy@cloud-anesthesia.com
The Privacy Officer function at Cloud Anesthesia is currently performed by Cloud Anesthesia's chief executive, until separately designated in writing. All inquiries to privacy@cloud-anesthesia.com are reviewed by this individual or their delegate.
For security-related concerns: security@cloud-anesthesia.com For legal notices: legal@cloud-anesthesia.com
We aim to respond to all inquiries within five (5) business days.
11.1 Complaints
If you believe we have not handled your personal information in accordance with this Policy or applicable law, you may file a complaint with us at the contact information above. You may also have the right to file a complaint with:
- The California Attorney General (https://oag.ca.gov/privacy);
- The U.S. Department of Health and Human Services, Office for Civil Rights, if your complaint relates to PHI handled by Cloud Anesthesia as a business associate (https://www.hhs.gov/hipaa/filing-a-complaint/);
- Your state attorney general or applicable data protection authority.