Privacy Policy

Updated June 1, 2026

1. Overview

   This Privacy Policy describes how Kaizen Health collects, uses, shares, and protects personal information in connection with the Platform. Kaizen operates primarily as a Business Associate and service provider to health plans, healthcare providers, and governmental healthcare programs; most personal information we process is handled on behalf of and under the direction of our clients. By using the Platform, you acknowledge the practices described in this Policy.

2. Information We Collect

   We may collect the following categories of personal information:

   • Identity data — name, date of birth, contact information, and government-issued identifiers where applicable
   • Program data — eligibility records, benefits information, and member or plan IDs
   • Service data — transportation, community services, and care coordination activity
   • Verification data — GPS coordinates, timestamps, photographs, electronic signatures, and related records
   • Communications data — SMS messages, call records, and email correspondence
   • Technical data — IP addresses, browser type, and aggregate web traffic data collected via standard web infrastructure and analytics tools



3. How We Collect Information

   We collect information:

   • Directly from you when you use the Platform or communicate with us
   • From clients, health plans, and authorized partners on your behalf
   • From third-party data sources as permitted by applicable law
   • Automatically through standard web server logs and analytics tools that collect aggregate, non-personally-identifiable traffic data



4. How We Use Information

   We use personal information to:

   • Provide, coordinate, and verify services
   • Operate and secure the Platform
   • Detect, investigate, and prevent fraud and abuse
   • Communicate with users and clients
   • Improve our services and conduct analytics
   • Comply with applicable legal, regulatory, and contractual obligations



5. AI & Automated Processing

   Kaizen may use artificial intelligence (“AI”) and automated processing tools to support operations, fraud detection, scheduling, quality monitoring, and analytics. AI-assisted processes are designed to augment human decision-making and do not replace required human oversight. Where required by applicable law, meaningful human review may be applied to automated decisions that have a material impact on individuals.

   Kaizen implements policies and procedures designed to support compliance with applicable federal and state laws governing automated decision-making. Where required by applicable law, Kaizen may provide notices, explanations, human review, or other rights relating to automated processing. In many cases, Kaizen processes information on behalf of health plans, healthcare providers, and other clients, and requests relating to automated processing may need to be directed to the applicable client.

6. How We Share Information

   We may share personal information with:

   • Clients and authorized health plan partners for program administration
   • Service providers and subcontractors acting on our behalf under appropriate data protection agreements
   • Regulators, government agencies, and legal authorities as required by applicable law
   • Successors in interest in connection with a merger, acquisition, or sale of assets

   We do not sell personal information.

7. HIPAA Notice

   Kaizen Health primarily operates as a Business Associate as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 45 CFR §160.103. Kaizen receives, maintains, transmits, and processes Protected Health Information (“PHI”) solely on behalf of and under the direction of Covered Entities and other authorized entities pursuant to applicable Business Associate Agreements.

   Kaizen does not independently determine the purposes or means of treatment, payment, or healthcare operations activities involving PHI and processes such information only as permitted by law, contract, and client instructions.

   Kaizen maintains SOC 2 and HITRUST certifications at the infrastructure level. If you have questions about how your PHI is handled, please contact us or your health plan directly.

8. Data Security

   Kaizen uses administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, or misuse. These include encryption in transit and at rest, access controls, audit logging, and regular security assessments. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

9. Security and Incident Reporting

   Kaizen maintains policies and procedures for detecting, investigating, mitigating, documenting, and reporting security incidents and breaches involving PHI in accordance with HIPAA, HITECH, applicable Business Associate Agreements, and other applicable laws. Security incidents are reported to applicable Covered Entities and governmental authorities within timeframes required by law and contract.

10. Data Retention

    We retain personal information for as long as necessary to fulfill the purposes described in this Policy, to comply with legal and regulatory obligations, to support audit and program integrity requirements, and to resolve disputes. Retention periods vary by data type and applicable legal requirements, including healthcare program record retention requirements.

11. Your Rights

    Depending on your state of residence and applicable law, you may have rights to:

    • Access or obtain a copy of your personal information
    • Correct inaccurate personal information
    • Request deletion of your personal information, subject to legal and contractual exceptions
    • Restrict or object to certain processing activities
    • Receive a response to your request within the timeframes required by applicable law

    Individuals seeking access, amendment, accounting of disclosures, restrictions, or other rights relating to PHI should contact the applicable Covered Entity, health plan, healthcare provider, or program sponsor. Kaizen assists Covered Entities in fulfilling such requests as required by applicable agreements and law. For all other requests, contact us at privacy@kaizenhealth.org.

12. State Privacy Rights

    Residents of certain states have additional rights under applicable state privacy laws. Kaizen complies with all applicable state privacy requirements across the states in which it operates.

    California Residents (CCPA/CPRA)

    If you are a California resident whose personal information Kaizen holds directly (as distinct from information held by your employer or health plan), you may have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

    • The right to know what personal information Kaizen holds about you directly
    • The right to delete personal information, subject to exceptions
    • The right to correct inaccurate personal information
    • The right to confirmation that Kaizen does not sell or share personal information for cross-context behavioral advertising
    • The right to non-discrimination for exercising your privacy rights

    Personal information that constitutes Protected Health Information under HIPAA is generally exempt from certain state consumer privacy laws, including portions of the CCPA/CPRA, to the extent provided by applicable law. To submit a California privacy request, contact us at privacy@kaizenhealth.org.

    Other State Residents

    Residents of certain states may have rights to access, correct, delete, or obtain information regarding personal information that Kaizen holds directly. Kaizen will respond to applicable requests in accordance with applicable law.

    Because Kaizen primarily operates as a Business Associate and service provider to health plans, healthcare providers, governmental healthcare programs, and other clients, most personal information processed by Kaizen is handled on behalf of and under the direction of those clients. Individuals seeking to exercise rights relating to information processed on behalf of a client should contact the applicable health plan, healthcare provider, or client directly. For information Kaizen holds independently, requests may be submitted to privacy@kaizenhealth.org.

13. Do Not Track

    Our website does not currently respond to browser Do Not Track signals. We may use standard web analytics tools to collect aggregate, non-personally-identifiable information about site traffic and usage patterns, such as page views, browser type, and referring URLs. We do not use this data to identify individual visitors. We will update this policy as our website and technical practices evolve.

14. Children’s Privacy

    The Platform is not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe a child’s information has been provided, please contact us and we will take appropriate action.

15. De-Identified Data

    Kaizen may use de-identified and aggregated data that cannot reasonably be used to identify an individual for analytics, benchmarking, product improvement, and research. Kaizen maintains administrative, technical, and organizational safeguards designed to prevent re-identification and to support compliance with applicable law. Where Protected Health Information is de-identified, Kaizen utilizes de-identification methodologies consistent with the HIPAA de-identification standards set forth in 45 CFR §164.514.

16. Changes to This Policy

    We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or business operations. Material changes will be communicated via the Platform or by email. We encourage you to review this Policy regularly.