Privacy Policy

Effective Date: September 8th, 2025

To review material modifications and their effective dates, scroll to the bottom of this page.

Introduction

Prompt Opinion, Inc. (“Prompt Opinion,” “We,” or “Us”) operates the Prompt Opinion platform available at promptopinion.ai and through associated applications (collectively the “App” or the “Services”).

The Services provide secure Workspaces for clinicians and researchers. Access to Workspaces is through a registered Prompt Opinion Account. Within a Workspace, users may interact with protected health information (PHI), patient records, research data, and organization-provided reference materials. The platform enables users to chat with patient data, perform clinical trial matching, and receive AI-powered “opinions” supported by evidence curated and maintained by the account administrator or organization.

Prompt Opinion respects and is committed to protecting the privacy of users and their patients. This Privacy Policy explains how we collect, use, disclose, and protect personal identifiable information (PII) and PHI when you use the App.

Privacy during preview

The Service is in a preview phase through November 1, 2025. During this preview, users must not upload or transmit real PHI unless Prompt Opinion has issued an invitation code enabling PHI use for that account. Accounts enabled for PHI use require a Business Associate Agreement (BAA) as described below. If you do not have an invitation code and a BAA, do not upload or transmit PHI.

Information we collect

Account information
When you register for a Prompt Opinion Account, we collect PII such as your name, email address, organization, and other details needed to create and manage your account.
Workspace data
Within a Workspace, you or your organization may upload, connect, or manage PHI, clinical notes, research data, clinical trial protocols, and proprietary grounding materials. Prompt Opinion does not share Workspace content with external parties, except as described in this policy or as required by law.
Device and technical data
We may collect information about your device, operating system, browser, app version, and diagnostic information to maintain performance, manage updates, and resolve errors. This data does not by itself identify you.
Cookies and similar technologies
We may use essential cookies and basic analytics to operate and improve the Service. You can update cookie preferences in your browser settings. If we add additional preference controls, we will link them from the App.

How we use information

We use information to:

Provide, operate, secure, and improve the Services.

Enable secure interaction with PHI, research data, and clinical trial matching functions.
Support evidence-based opinions and research workflows generated through the App.
Facilitate intelligent clinical trial matching by applying uploaded trial protocols across authorized patient data sets.
Communicate with you about the Services including security, policy, and feature updates.
Comply with legal requirements and enforce our Terms.

De-identified data

We may create and use de-identified information that meets HIPAA de-identification standards for analytics, safety, quality improvement, and product development. We will not attempt to re-identify de-identified data. We will not sell, lease, or rent de-identified data.

Automated processing and AI outputs

Certain features generate AI outputs that assist users by drafting content, summaries, patient-trial matching results, and suggestions. These outputs are assistive only. We do not use identifiable Workspace content to train third-party foundation models. If we fine-tune internal models, we do so using de-identified or synthetic data or data we are contractually permitted to use.

HIPAA status and Business Associate Agreement

If you are a Covered Entity or Business Associate and you submit PHI to the Service, Prompt Opinion will act as your Business Associate and will process PHI only under a written Business Associate Agreement (BAA) that is incorporated by reference into your agreement with Prompt Opinion. The BAA controls in the event of a conflict with this Privacy Policy as to PHI.

When you use the Services to upload, access, transmit, exchange, or receive PHI, you agree to comply with all applicable laws and regulations including HIPAA and HITECH. You represent and warrant that you have obtained all authorizations, consents, and permissions required for your use.

Information sharing

With service providers
We engage secure cloud hosting and infrastructure providers (such as Microsoft Azure) to deliver the App. These providers may access PII or PHI only to perform services on our behalf and are prohibited from using it for other purposes.
No sale of information
We do not sell, lease, or rent your PII, PHI, or Workspace data to third parties. We do not use PHI or Workspace content for targeted advertising.
With your consent
You may choose to export or share information from your Workspace with health care providers, research collaborators, or other third-party services. Data shared with third parties is governed by those parties’ policies. Prompt Opinion is not responsible for third-party products or their availability.
Legal requirements and protection of rights
We may disclose information when required to comply with laws, regulations, subpoenas, or court orders, to enforce our Terms, to protect the rights and safety of users, patients, the public, or Prompt Opinion, or to stop activity that is illegal or harmful.
Third-party resources for grounding and research
Prompt Opinion may connect to external sources such as PubMed or other public scientific databases to provide grounding for AI outputs and research workflows. PHI is not transmitted directly to these sources. Instead, we use privacy-preserving protocols, including our A2A approach, to ensure that PHI is never disclosed when accessing third-party resources.
Account owner controls for third-party sharing
An account owner may withdraw previously granted consent to a third party. After withdrawal, no new data will be sent. Prompt Opinion is not responsible for data already shared with a third party. To have shared data removed, contact the third party directly.

Proprietary grounding materials

Organizations may upload or maintain proprietary reference materials in their Workspaces. Prompt Opinion will not disclose or distribute these materials to external parties. We will not use proprietary grounding materials for model training except as expressly authorized in writing by the organization.

Data security

We implement reasonable and appropriate safeguards to protect data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. We use enterprise-grade encryption such as TLS and transparent data encryption to protect data in transit and at rest. We apply modern authentication and authorization frameworks, and data returned by APIs is scoped to the appropriate tenant and user context.

You should enable multifactor authentication for all end-user accounts, use strong unique passwords stored in a password manager, and protect any credentials and API keys. Rotate secrets regularly and store them in a secrets vault.

Breach notifications

For PHI processed under a BAA, we will provide breach notifications to you without unreasonable delay as required by HIPAA and the BAA. For non-PHI data, we will notify you as required by applicable law.

Preview resets

During the preview phase we may change features and may need to reset or delete accounts and associated data at any time without prior notice. For accounts operating under a BAA, any deletion or migration will be handled consistent with that agreement and applicable law.

Acceptable use alignment

You must not use the Service for autonomous clinical decision-making or for emergency or life-support scenarios. You must verify AI outputs against current clinical standards, labeling, evidence, and the specific patient context before relying on them. You must not upload PHI unless your account is enabled for PHI and you have a BAA in place.

Communications

By providing an email you consent to receive service messages including notices required by law. You may opt out of promotional emails at any time. You cannot opt out of essential service, security, or policy messages.

Children and privacy

The App and Services do not target and are not intended to attract children under the age of 13. We do not knowingly solicit PII from children under 13 or send them requests for PII. Parents or guardians may establish accounts for their children’s records, and any such PII is handled as described in this policy.

Account closure and data retention

You may close your Prompt Opinion Account and request deletion of Workspace data at any time. Deleting data through the App does not remove data previously shared with a third party. Contact third parties directly to manage data held by them.

We may retain certain PII in backups or as required by law, by contract with Patient Data Providers or research sponsors, or as needed for accounting, audit, and compliance purposes.

If an account is dormant for six months (e.g., no active connections, no new data, no logins, or no activity) the account will be flagged for deletion. We will send notice ninety days prior to deletion. Logging in during that period will halt deletion.

Business transfers

If Prompt Opinion is acquired, merged, or undergoes another change in ownership, we will notify users and provide an updated Privacy Policy. Continued use requires acceptance of the updated terms.

Dispute resolution

Governing law, venue, and dispute resolution for this Privacy Policy are as outlined in the Terms of Service.

California disclosures

For information relevant to California residents, see the Terms of Service and the contact information below. If you are subject to a state privacy statute that grants additional rights, contact us at info@promptopinion.ai.

Contact

Prompt Opinion, Inc.

Attn: Admin

100 Chesterfield Business Parkway, Suite 200

St. Louis, MO 63005

Email: info@promptopinion.ai

Material modifications since September 8, 2025

None

End of Privacy Policy