This document is a template and should be reviewed by legal counsel before relying on it.

Privacy Policy

Last updated: July 6, 2026

Sapyyn is a patient referral platform used by healthcare providers, practices, and patients to coordinate referrals, share records, and manage related documents. This Privacy Policy explains what information we collect, how we use it, and the choices and rights available to you.

1. Information We Collect

We collect the following categories of information when you use Sapyyn:

  • Account information: name, email address, phone number, practice or organization name, professional role, and login credentials.
  • Patient referral data and protected health information (PHI): when a provider submits or manages a referral, we may process patient names, contact details, clinical reason for referral, treatment notes, insurance information, and related medical information.
  • Uploaded documents: medical records, imaging, insurance forms, and other supporting documents uploaded to the platform.
  • Usage and analytics data: log data, device and browser information, IP address, pages visited, and interactions with the platform, used to operate and improve the service.
  • Billing information: subscription plan, invoicing details, and payment status, processed through our third-party payment processor.

2. How We Use Information

We use collected information to:

  • Provide, operate, and maintain the referral platform, including creating, tracking, and completing referrals between providers.
  • Authenticate users and enforce role-based access controls.
  • Send transactional notifications related to referrals, appointments, and account activity, including by email and SMS.
  • Process subscription billing and manage accounts.
  • Monitor, secure, and improve the platform, including through audit logging and analytics.
  • Comply with legal, regulatory, and contractual obligations.

3. How Information Is Shared

We do not sell personal information or PHI. We share information only as needed to operate the platform, including with:

  • Service providers and subprocessors: cloud hosting providers, email delivery services, SMS/text messaging providers, and payment processors, each engaged to perform services on our behalf under contractual confidentiality and security obligations.
  • Other providers in the referral network: when you create or receive a referral, relevant patient and clinical information is shared with the referring or receiving provider as part of the referral workflow.
  • Legal and safety purposes: when required by law, subpoena, or court order, or to protect the rights, property, or safety of Sapyyn, our users, or others.
  • Business transfers: in connection with a merger, acquisition, or sale of assets, subject to continued protection of personal information.

Where PHI is involved, we enter into Business Associate Agreements (BAAs) with covered entities and require appropriate safeguards from subprocessors that handle PHI on our behalf.

4. Security Measures

We use administrative, technical, and physical safeguards designed to protect information, including encryption of data in transit and at rest, role-based access controls, authentication requirements, and audit logging of referral and account activity. No system can be guaranteed 100% secure, and we continually work to improve our security practices.

5. Data Retention

We retain account information and referral records for as long as your account is active and as needed to provide the service, comply with legal and recordkeeping obligations applicable to healthcare data, resolve disputes, and enforce our agreements. Retention periods for PHI may be longer where required by applicable healthcare recordkeeping laws. When information is no longer needed, we take steps to delete or de-identify it.

6. Your Rights

Depending on your role and applicable law, you may have the right to access, correct, export, or request deletion of your personal information, and to object to or restrict certain processing. Patients seeking access to or correction of their health information should also contact their treating provider directly, as providers remain responsible for the clinical record. To exercise these rights, contact us using the information below.

7. Cookies and Similar Technologies

We use cookies and similar technologies to keep you signed in, remember preferences, and understand how the platform is used. You can control cookies through your browser settings, though disabling cookies may limit some functionality.

8. Children's Data

Sapyyn is intended for use by healthcare providers, practice staff, and adult patients. The platform is not directed to children under 13, and we do not knowingly collect personal information directly from children under 13. Information about pediatric patients may be submitted by a provider or guardian as part of the referral process.

9. International Data Transfer

Sapyyn is operated in the United States. If you access the platform from outside the United States, your information will be transferred to, stored, and processed in the United States, which may have data protection laws different from those in your jurisdiction.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date above, and where appropriate, through additional notice.

11. Contact Us

Questions about this Privacy Policy or requests regarding your information can be directed to your Sapyyn administrator or through the contact information provided on our Contact page.