Legal

Privacy Policy

Last updated: April 22, 2026

1. Who we are

ClayAI Inc. (“ClayAI”, “we”, “us”) operates a physician billing platform at clayai.ca. We act as an electronic service provider to Ontario physicians, processing personal health information (PHI) on your behalf under Ontario's Personal Health Information Protection Act, 2004 (PHIPA). You, the physician, remain the health information custodian.

2. Information we collect

We collect the following categories of information:

  • Physician account information — your name, email address, OHIP billing number, specialty, facility number, and practice name.
  • Patient health information — patient names, health card numbers, dates of birth, diagnostic codes, and service codes that you enter or upload for billing purposes.
  • Day sheet images — photos or scans of clinical day sheets that you upload for AI-assisted data extraction.
  • Billing data — claims, remittance advices, encounter records, and submission history.
  • Payment information — subscription and billing data processed by Stripe. We do not store credit card numbers.
  • Usage data — log data, browser type, IP address, and interactions with the platform for security and improvement purposes.

3. How we use your information

  • To provide the ClayAI billing platform and its features, including claim preparation, submission, and reporting.
  • To process day sheet uploads using AI (optical character recognition and data extraction) to pre-populate encounter data.
  • To suggest billing codes, identify potential claim issues, and assist with rejection appeals.
  • To process your subscription payments via Stripe.
  • To send account-related communications (confirmations, billing notices, security alerts, feature updates).
  • To maintain the security and integrity of the platform.

4. AI processing and third-party services

ClayAI uses the following third-party services that may process your data:

  • OpenAI (GPT-4o) — used for day sheet OCR, code suggestions, and billing assistance. When cloud AI is enabled, de-identified or physician-authorized patient data may be sent to OpenAI's servers in the United States. You can disable cloud AI processing at any time in Settings. See our PHIPA Notice for details.
  • Supabase — database and authentication hosting (Canada Central region). All patient data at rest is stored in Canada.
  • Vercel — application hosting and CDN.
  • Stripe — payment processing. Stripe processes payment data under its own privacy policy.

5. Data storage and residency

All patient health information stored in our database resides in Canada (Supabase Canada Central region). When cloud AI features are enabled, data sent to OpenAI may be processed on servers located in the United States. We do not use patient data to train AI models. OpenAI's API does not use submitted data for model training.

6. Data sharing

We do not sell your personal or patient information. We share data only:

  • With the third-party services listed above, as necessary to operate the platform.
  • When required by law, regulation, or valid legal process.
  • To protect the rights, safety, or property of ClayAI, our users, or the public.

7. Data security

We implement industry-standard security measures including encryption in transit (TLS) and at rest, row-level security policies ensuring physicians can only access their own data, secure authentication via Supabase Auth, and regular security reviews. No system is perfectly secure — we cannot guarantee absolute security but we take reasonable measures to protect your data.

8. Data retention

We retain your account and billing data for as long as your account is active. Patient encounter and claim data is retained for a minimum of 10 years from the date of service, consistent with CPSO record-keeping requirements and OHIP audit timelines. Upon account deletion, we will securely delete data that is no longer required to be retained by law.

9. Your rights under PHIPA

As the health information custodian, you have the right to:

  • Access and export your data at any time.
  • Request correction of inaccurate information.
  • Withdraw consent for optional data processing (such as cloud AI features).
  • Delete your account and associated data, subject to legal retention requirements.
  • File a complaint with the Information and Privacy Commissioner of Ontario.

10. Cookies and analytics

ClayAI uses essential cookies for authentication and session management. We do not use third-party advertising cookies or cross-site tracking. We may use privacy-respecting analytics to understand usage patterns and improve the platform.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. Continued use of ClayAI after changes constitutes acceptance.

12. Contact

Privacy questions or data requests? Reach us at privacy@clayai.ca.