Empwr

Legal

Privacy Policy

Effective May 15, 2026. Last updated May 15, 2026.

Contents

1. Introduction & Scope

Empwr AI ("Empwr," "we," "us") provides software for physicians to estimate their professional and facility-side economic value. This Privacy Policy describes what information we collect from people who create accounts and use the platform ("you," "users"), how we use it, and with whom we share it.

This policy covers our users — physicians and the staff who act on their behalf. It does not cover patients of those physicians, because the platform is not designed to receive patient information. See Section 2.

2. Important Notice — Not a HIPAA Business Associate

Empwr is not a HIPAA Covered Entity or Business Associate. The Service is not designed to receive, store, or process Protected Health Information (PHI) as defined by 45 CFR 160.103, and we do not sign Business Associate Agreements (BAAs).

You are responsible for removing patient identifiers from any document you upload — including names, dates of birth, medical record numbers, addresses, phone numbers, email addresses, and any other element that would render the data PHI. Before uploading case logs, please use only de-identified data.

If you upload a document containing patient identifiers in violation of this policy, please contact us at privacy@empwrmedical.ai so we can delete the file.

3. Information We Collect

We collect the following categories of information:

  • Account information — email address, full name, and (if you sign in with Google) the OAuth profile fields Google provides to us.
  • Professional information — specialty, employer type, practice state and city, optional hospital selection, and the compensation and workload figures you enter into the calculator.
  • Uploaded documents — PDFs, Excel, or CSV files you submit for analysis. These files should not contain patient identifiers (see Section 2). The text and structured data extracted from these files are stored with your account.
  • Payment information — handled directly by Stripe. We do not see or store card numbers; we receive a record that a charge succeeded along with a Stripe customer or payment identifier.
  • Usage and diagnostic data — standard server logs (timestamps, IP, error traces) generated by our hosting provider.

4. How We Use Information

We use the information we collect to:

  • Authenticate your account and operate the platform.
  • Run the calculations and generate the reports you request.
  • Process payments for paid reports.
  • Diagnose errors, monitor service health, and improve the accuracy of our calculations.
  • Respond when you contact us.

We do not sell personal information.

5. AI / Automated Processing

Some features of the platform send portions of the data you upload to a third-party AI provider for processing. The current provider is identified in the sub-processor list in Section 6. Specifically:

  • When you upload a PDF document, we send the file to the AI provider for classification and for extracting structured fields (e.g., compensation figures, case counts).
  • When you upload a spreadsheet (Excel or CSV), we send the column headers and a small sample of rows to the AI provider to identify which columns contain procedure codes, dates, and counts. Before that sample is sent, we automatically strip columns whose names match common patient-identifier patterns (e.g., columns named "patient_name," "MRN," "DOB"). This mitigation reduces — but does not eliminate — the chance of incidental PHI exposure, which is why your obligation to upload only de-identified data (Section 2) remains the controlling rule.

The AI provider processes this content as a sub-processor under their published terms. We do not have a Business Associate Agreement with this provider. If you require BAA-covered AI processing, this Service is not appropriate for your use.

6. Sub-processors

We rely on the following third-party services to operate the platform. None of these vendors has signed a Business Associate Agreement with us; do not upload PHI to the Service.

VendorPurpose
OpenAIDocument classification, field extraction, and CPT normalization
SupabaseAuthentication, primary database, and file storage
StripePayment processing for paid reports
GoogleOptional Google OAuth sign-in
VercelApplication hosting and edge runtime

7. Data Storage & Retention

Account information, calculator inputs, uploaded documents, and generated reports are stored in a Supabase Postgres database in the United States. Row- level security policies restrict access so that users can only read their own rows.

We retain your account data and reports for as long as your account is active. If you request deletion (see Section 9), we delete your account and associated data within 30 days from our active systems. Routine database backups may retain copies for up to an additional 30 days before being cycled out.

8. Data Security

All traffic to and from the platform uses TLS. Database access is restricted by Supabase row-level security policies. Authentication is handled by Supabase Auth, and we support Google OAuth.

We do not represent the platform as a HIPAA-compliant environment. If you need a HIPAA-compliant platform for PHI, please use one.

9. Your Choices & Rights

You can:

  • Update profile information from your account settings page.
  • Request deletion of your account and all associated data by emailing privacy@empwrmedical.ai. We process deletion requests manually and aim to confirm within 30 days.
  • Request a copy of the data we hold about you by emailing the same address.

We do not currently offer self-serve data export tooling. Depending on your jurisdiction, you may have additional rights under applicable law; the email above is the correct channel to invoke them.

10. Cookies & Local Storage

We use cookies and local browser storage to keep you signed in (session cookies issued by Supabase Auth) and to remember preferences. We do not run third-party advertising or cross-site tracking cookies.

11. Children’s Privacy

The Service is intended for licensed medical professionals and is not directed at anyone under the age of 18. We do not knowingly collect information from children. If you believe a child has provided information to us, please contact us so we can delete it.

12. Changes to This Policy

We may update this Privacy Policy. When we do, we will update the "Last updated" date at the top of the page. For material changes, we will provide additional notice (such as an email or an in-product banner) before the change takes effect.

13. Contact

Questions about this policy, deletion requests, or privacy concerns: privacy@empwrmedical.ai.

See also our Terms of Service.