Privacy Policy

This Privacy Policy describes how Launchpad, an OpenLoop Healthcare product ("Compass," "we," "us," or "our"), collects, uses, and shares information about you when you use our website at joincompass.ai and the Compass platform ("Service").

We are committed to compliance with the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), and applicable US federal and state health privacy laws, including HIPAA where applicable. Please read this policy carefully. If you have questions, contact us at privacy@joincompass.ai.

We collect the following categories of information:

Account & contact information

• Name, email address, and password when you register
• Billing information (processed by Stripe; we do not store card numbers)
• Company name, website, and role

Platform usage data

• Log data: IP address, browser type, pages visited, timestamps
• Feature usage patterns (dashboard views, filters applied, reports generated)
• Device identifiers and session tokens

Customer data you provide

• Free tier: Only de-identified, aggregated analytics data is processed. No individually identifiable patient data is accepted or stored.
• Insights tier: PHI-adjacent data may be processed under a signed Business Associate Agreement (BAA). This includes patient acquisition records, cohort identifiers, and pharmacy SLA data. All such data is subject to HIPAA safeguards.

We use your information to:

• Provide, operate, and improve the Service
• Process transactions and send related information (receipts, account notices)
• Send product updates, security alerts, and support messages
• Analyze usage patterns to improve product features
• Comply with legal obligations, including HIPAA where applicable
• Detect and prevent fraud or abuse

We do not sell your personal data or Customer Data to third parties. We do not use Customer Data for advertising purposes.

We share information only in limited circumstances:

• Subprocessors: We use third-party services to operate the platform. See our full Subprocessor List.
• Legal requirements: We may disclose information if required by law, subpoena, or governmental authority.
• Business transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred. We will notify you before your information is subject to a different privacy policy.
• With your consent: We may share information with third parties when you have given us explicit consent.

We engage the following categories of subprocessors to provide the Service. A complete list with names, purposes, and data protection details is available on our Subprocessor List page.

All subprocessors are bound by data processing agreements consistent with GDPR Article 28 requirements. We conduct due diligence on subprocessors' security practices and will notify affected customers of material subprocessor changes at least 30 days in advance.

We use cookies and similar tracking technologies to operate the Service. When you first visit our site, a cookie consent banner provides you with the choice to accept all cookies or essential-only.

Essential cookies are always active and necessary for the Service to function (session management, security, authentication).

Analytics cookies (set only with your consent) help us understand how you use the Service so we can improve it. We use privacy-respecting, cookieless analytics where possible.

You can manage your cookie preferences at any time via the cookie banner or your browser settings.

Depending on your location, you may have the following rights regarding your personal data:

GDPR rights (EEA/UK residents)

• Right of access: Request a copy of personal data we hold about you
• Right to rectification: Request correction of inaccurate data
• Right to erasure ("Right to be forgotten"): Request deletion of your personal data, subject to our legal obligations to retain certain records
• Right to restriction: Request that we restrict processing of your data
• Right to data portability: Receive your data in a machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time

CCPA rights (California residents)

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information we have collected
• Right to opt-out of the sale of personal information (we do not sell personal data)
• Right to non-discrimination for exercising your CCPA rights

To exercise any of these rights, email us at privacy@joincompass.ai with the subject line "Privacy Request." We will respond within 30 days (GDPR) or 45 days (CCPA) of receipt. We may need to verify your identity before fulfilling your request.

We retain your account data for as long as your account is active. If you close your account, we will delete or de-identify your personal data within 90 days, except where we are required to retain it for legal or regulatory purposes (such as financial records required by tax law).

Customer Data you upload is retained for the duration of your subscription. Upon account termination, Customer Data is deleted within 30 days unless you request an export first.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such data, please contact us at privacy@joincompass.ai and we will promptly delete it.

Your information may be transferred to and processed in the United States, which may not provide the same level of data protection as your home country. For transfers from the EEA or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal basis for transfer. A copy of our SCCs is available upon request at privacy@joincompass.ai.

For any privacy-related questions, data subject requests, or to reach our Data Protection Officer:

• Email: privacy@joincompass.ai
• Mailing address: Compass by Launchpad / OpenLoop Healthcare Partners PC, Austin, TX

If you are in the EEA and have unresolved concerns, you have the right to lodge a complaint with your local data protection authority.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the Service at least 30 days before the change takes effect. The "Last updated" date at the top of this page indicates when this policy was last revised.