Legal
Privacy

Privacy Policy

Effective date April 30, 2026
Last updated April 30, 2026

This Privacy Policy describes how Sapling Health collects, uses, and protects information across its products and services. "Sapling," "we," and "us" refer to CS Big Bend, Inc. d/b/a Sapling Health, together with its affiliated professional entity Sapling Medical Group, PA, where applicable.

This policy applies to:

  • The Sapling website (saplinghealth.com)
  • The Sapling Clinical Assistant browser extension
  • The Sapling AI Receptionist (inbound and outbound voice services)
  • The Sapling Prior Authorization, Referrals, Coding, and Billing/RCM services
  • The Sapling Management Services Organization ("MSO") services delivered through Sapling Medical Group, PA
  • Any other products or services that link to this policy (collectively, the "Services")

Sapling's Services are designed for use by healthcare practices, their clinicians, and their authorized staff. Most personal information we handle is Protected Health Information ("PHI") that we process as a Business Associate on behalf of a Covered Entity under HIPAA.

01 The roles we play #

Different parts of our business handle information in different capacities:

Business Associate. When we deliver the Clinical Assistant, AI Receptionist, Prior Auth, Coding, Billing/RCM, or MSO services to a healthcare practice, we act as a Business Associate under HIPAA. The practice is the Covered Entity and owns the patient data. Our handling of PHI is governed by the Business Associate Agreement ("BAA") we sign with each practice, which controls in the event of any conflict with this policy.

Controller of our own business information. When you visit our website, contact us, or use Sapling in your capacity as a customer, prospective customer, or employee, we act as the controller of that information.

02 Information we collect #

From healthcare practices and their clinicians

  • Account and authentication information: name, work email, role, practice affiliation, login credentials managed through a secure authentication provider.
  • Clinical encounter audio: captured by the Clinical Assistant when a clinician initiates recording, transmitted directly to our ambient documentation subprocessor for transcription. Audio is not retained by Sapling or our subprocessor after the note is generated.
  • Voice call audio and metadata: captured by the AI Receptionist for inbound and outbound calls (e.g., scheduling, recall campaigns, prior authorization calls). Calls may be recorded and transcribed where permitted by applicable law and the practice's configuration.
  • Clinical content: transcripts, notes, problem lists, medications, lab and referral information, and other PHI processed to deliver the Services.
  • Claims and billing data: demographic, insurance, and encounter information used for eligibility, prior authorization, coding, claims submission, and revenue cycle management.
  • EHR integration data: information we read from and write to the practice's EHR, limited to what is needed to deliver the contracted Services.
  • Usage and diagnostic data: feature usage events, error logs, and performance metrics. We minimize PHI in this data wherever feasible.

From website visitors

  • Information you submit through forms (e.g., name, email, practice name, message content)
  • Standard log data (IP address, browser, pages visited, referrers)
  • Cookies and similar technologies for site functionality and basic analytics

From job applicants and personnel

  • Resume and application materials, contact information, and other information you submit during recruiting.

03 How we use information #

We use information to:

  • Deliver the Services (including documentation, voice handling, prior authorization, coding, billing, and MSO operations)
  • Authenticate users and protect against unauthorized access
  • Maintain audit logs and other records required under HIPAA and applicable law
  • Operate, secure, troubleshoot, and improve the Services
  • Communicate with practices, customers, and prospective customers about the Services
  • Comply with legal, regulatory, and contractual obligations

We do not use Services data for advertising and we do not engage in patient-facing marketing.

04 AI model training #

We do not use customer data — including PHI, de-identified data, audio, transcripts, notes, claims data, or any clinical content — to train, fine-tune, or improve any AI models, whether our own or those of third parties. Our subprocessors are contractually prohibited from using customer data for model training under our agreements with them.

05 How information is shared #

We share information only as needed to deliver the Services and only with parties bound by HIPAA-compliant Business Associate Agreements or equivalent confidentiality and security obligations. Categories of subprocessors include:

  • Cloud hosting and infrastructure providers
  • Ambient clinical documentation and transcription providers (no audio retention)
  • Voice telephony and conversational AI providers for the AI Receptionist
  • Medical coding AI providers
  • Claims clearinghouse and revenue cycle infrastructure providers
  • EHR integration and middleware partners
  • Authentication and identity providers
  • Payment processors (for Sapling's billing of practices, not for patient payments)

A current list of named subprocessors is available to practices on request.

We disclose information outside the Services only:

  • To the practice that owns the data, or to parties the practice authorizes
  • To third parties contracted to deliver the Services (as described above)
  • Where required by law, subpoena, or other valid legal process
  • In connection with a corporate transaction (e.g., merger, acquisition, financing), subject to the recipient's commitment to honor this policy and the applicable BAAs

We do not sell or rent personal information. We do not share information with advertisers or data brokers.

06 Data retention and deletion #

  • Audio (clinical and voice): Not retained beyond what is required to generate the immediate output. Deleted after processing.
  • PHI and clinical content: Retained only as needed to deliver the Services and as specified in the BAA with the practice. Patient records remain the property of the practice.
  • Claims and billing records: Retained for the period required by federal and state law applicable to billing and revenue cycle records.
  • Account and audit logs: Retained for the duration of the service relationship and the period required by HIPAA and applicable state law.
  • Website data: Retained as long as needed for the purposes described above, then deleted or aggregated.
  • On termination: We will return or securely delete customer data within thirty (30) days of written request from the practice, subject to legal retention requirements.

07 Security #

We maintain administrative, physical, and technical safeguards designed to protect personal information, including:

  • Encryption of data in transit (TLS) and at rest
  • Role-based access controls and least-privilege provisioning
  • Audit logging of access to PHI
  • Secure software development practices and regular security review
  • Workforce HIPAA training and confidentiality obligations
  • Incident response procedures consistent with HIPAA breach notification requirements

No system is perfectly secure, but we treat the protection of clinical data as a core requirement of our business.

08 The practice's role #

The Services are deployed at the direction of the healthcare practice that engages Sapling. The practice is the Covered Entity under HIPAA and is responsible for:

  • Obtaining any patient consents required by law (including for the use of ambient documentation, call recording, or outbound patient outreach)
  • Determining which staff have access to the Services
  • Configuring outreach campaigns, call scripts, and clinical workflows

Patients with questions about how their information is used should contact their healthcare provider directly.

09 Children #

Several Sapling-supported practices treat pediatric patients, and PHI processed through the Services may relate to minors. All such information is handled under the same HIPAA-compliant terms described in this policy and the applicable BAA. The Services are workforce tools used by clinicians and are not directed to children; children do not interact with the Services directly.

10 State privacy rights #

Where applicable state privacy laws (including the California Consumer Privacy Act / California Privacy Rights Act and similar laws in other states) provide rights to individuals, those rights generally do not apply to PHI handled under HIPAA, which is governed instead by federal health privacy law. For non-PHI personal information that may be subject to state privacy laws, individuals may contact us at the address below to exercise applicable rights, including the rights to access, correct, or delete personal information and to opt out of certain processing activities.

We do not sell personal information and we do not engage in cross-context behavioral advertising.

11 International users #

Sapling's Services are designed for use within the United States. We do not currently market the Services to individuals outside the United States.

12 Changes to this policy #

We may update this Privacy Policy from time to time. Material changes will be reflected by an updated "Last updated" date above and, where appropriate, communicated directly to practices and account administrators.

13 Contact #

Questions about this Privacy Policy or Sapling's privacy practices may be directed to:

Sapling Health
Attn: Privacy
privacy@saplinghealth.com
[Mailing address]

For HIPAA-specific inquiries about a specific patient's information, please contact the healthcare practice that provided the care; the practice is the Covered Entity for that PHI.