Privacy Policy

1. Scope

This Privacy Policy applies to visitors of the Interoperly public marketing website at interoperly.com. It explains what information we collect when you visit this site, why we collect it, who we share it with, and the rights you have over your information.

This policy applies to interoperly.com only. The Interoperly clinical platform (operating at console.interoperly.com, app.interoperly.com, and api.interoperly.com) handles Protected Health Information under separate HIPAA-governed privacy controls. If you are a patient using the Interoperly app, the privacy notice applicable to your use of the app will be presented to you through the app at the time of onboarding.

2. Who We Are

Interoperly LLC ("Interoperly," "we," "us," "our") is a Delaware limited liability company that operates the Interoperly clinical decision intelligence platform. For purposes of GDPR, we are the data controller for personal data collected on this website. To exercise your privacy rights or to contact us about this policy, write to privacy@interoperly.com. A business mailing address for written privacy requests will be added to this policy before activation of visitor analytics, tracking technologies, or contact-form data intake. Until then, privacy@interoperly.com is the sole method for privacy requests on this site.

3. Information We Collect on This Site

When you visit interoperly.com, we collect a limited set of information necessary to operate, secure, and improve the site:

3.1 Standard web request data. Our hosting provider (Vercel, listed in the Vendor Disclosure Table in Section 6) automatically logs incoming HTTP requests, including: IP address, user agent string, requested URL, HTTP referer, response status, and timestamp. These logs are used for security, abuse prevention, and operational diagnostics.

3.2 Information you provide voluntarily. If you submit a form on this site (when contact-form intake is launched in a future update), the information you provide (such as your name, work email, company name, job title, and message) is transmitted to Interoperly and stored in our managed Postgres database operated by Neon (listed in the Vendor Disclosure Table in Section 6). At the time of this policy's effective date, no contact form is active on this site.

3.3 Browser-level information necessary for site function. Your browser language preference (used to render appropriate content) and any consent choices you record (when the cookie banner is launched in a future update) are stored locally in your browser.

You are not required to provide voluntary inquiry information through this site. If you choose not to provide it, we may not be able to respond to your inquiry or evaluate a potential business relationship.

4. What We Do Not Collect

The Interoperly public marketing site is designed to be a PHI-free zone through strict operational and technical controls. We do not request, collect, process, or transmit Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA) at 45 CFR 160.103 through this website.

Specifically, on interoperly.com:

• We do not ask visitors for symptoms, diagnoses, medications, lab values, treatment history, or any other health information about any person, including the visitor.
• We do not embed clinical data widgets, AI symptom assistants, or chat tools that could elicit health information.
• We do not display patient data fetched from our clinical platform.
• We do not transmit health information to analytics or marketing vendors.

If a visitor unintentionally includes health-information-like content in a free-text field on a future contact form, our automated handling flags the submission, excludes it from any analytics-vendor sync, and routes it to privacy@interoperly.com for manual review and redaction. This handling is described further in our internal Free-Text Hygiene Procedure.

Our clinical platform handles PHI under separate HIPAA-governed controls. That platform is not in scope for this policy.

5. Purposes and Legal Bases

We process the information described in Section 3 for the following purposes, with the following legal bases under GDPR Article 6:

5.1 Site operation and security. To deliver this website to your browser, defend against abuse, and diagnose operational issues. Legal basis: legitimate interests (Article 6(1)(f)) in operating a secure public-facing website.

5.2 Responding to inquiries. To answer questions you submit through a contact form (when launched). Legal basis: steps taken at your request prior to entering into a contract (Article 6(1)(b)).

5.3 Improving our site and content. To understand which content resonates with visitors and improve future content. Legal basis: consent (Article 6(1)(a)) where required, or legitimate interests (Article 6(1)(f)) for non-personal aggregate measurement. Analytics vendors named as Planned in Section 6 will activate only after consent infrastructure is in place.

5.4 Sales and outreach. To identify organizations that may benefit from Interoperly and reach out about our services. Legal basis: consent (Article 6(1)(a)) where required, or legitimate interests (Article 6(1)(f)). Identification and enrichment vendors named as Planned in Section 6 will activate only after consent infrastructure is in place.

6. Vendors and Subprocessors

The following table identifies vendors who may receive personal data from this site. Vendors marked Active currently receive data; vendors marked Planned will only receive data after a separate Data Processing Agreement is executed and consent infrastructure is in place.

7. Cookies and Tracking Technologies

We organize cookies and similar technologies into the following categories:

• Strictly necessary. Required for site function and security. These cannot be disabled because the site would not work without them. Examples: load balancing, security tokens, your consent record itself.
• Functional preferences. Optional. Stores preferences you have chosen, such as language or theme.
• Analytics. Optional. Will be used by analytics vendors named as Planned in Section 6 once a consent banner is in place. Not active today.
• Marketing and audience insights. Optional. Will be used by marketing and audience-insight vendors named as Planned in Section 6 once a consent banner is in place. Not active today.

As of the effective date of this policy, only Strictly necessary cookies are in use. We will introduce a consent banner before activating any cookie or tracking technology in the Functional, Analytics, or Marketing categories.

8. International Data Transfers

Interoperly is based in the United States. The personal data we collect through this website is processed and stored in the United States by the vendors named in Section 6. If you access this site from outside the United States, your information will be transferred to and processed in the United States.

For visitors located in the European Economic Area or the United Kingdom, we rely on Standard Contractual Clauses adopted by the European Commission as the legal mechanism for cross-border transfers to our processors, in addition to any vendor-specific safeguards documented in our Data Processing Agreements.

9. Data Retention

We retain personal data only as long as necessary for the purposes described in Section 5:

• Web request logs: retained by our hosting provider for the duration of their standard log retention window for operational and security purposes.
• Voluntary form submissions (when contact form launches): retained in our managed database for the duration of our active business relationship plus a reasonable period thereafter for legal and audit obligations, with periodic review.
• Free-text content flagged as potentially health-information-like: routed for manual review and redaction without undue delay, and in any event within seven calendar days, with the pre-redaction version not retained.
• Browser-stored consent records: retained in your browser until you clear them or until expiration set by the consent banner.

10. Your Rights Under GDPR (EEA and UK Visitors)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights with respect to personal data we process about you:

• Right of access (Article 15): obtain a copy of your data and information about how we process it.
• Right to rectification (Article 16): correct inaccurate data.
• Right to erasure (Article 17): request deletion of your data, subject to applicable exceptions.
• Right to restriction of processing (Article 18).
• Right to data portability (Article 20): receive your data in a portable format.
• Right to object (Article 21): object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent at any time, where consent is the legal basis for processing.
• Right to lodge a complaint with the data protection authority of your member state. A directory is maintained at https://edpb.europa.eu/about-edpb/board/members_en.

To exercise these rights, write to privacy@interoperly.com. We respond within 30 days as required by GDPR Article 12(3).

11. Your Rights Under CPRA (California Residents)

If you are a California resident, you have the following rights with respect to personal information we process about you:

• Right to know what personal information we collect, use, disclose, and retain.
• Right to delete personal information we have collected.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information.
• Right to limit the use of Sensitive Personal Information.
• Right to non-discrimination for exercising these rights.

Interoperly does not sell personal information. As of April 29, 2026, Interoperly does not share personal information for cross-context behavioral advertising. Future activation of audience-insight or marketing-attribution vendors named as Planned in the Vendor Disclosure Table in Section 6 will be disclosed in an updated version of this policy and will be consent-gated through the cookie banner that will accompany those activations.

Interoperly does not knowingly collect or request Sensitive Personal Information as defined under CPRA on this site. We do not request health information, precise geolocation, government identifiers, racial or ethnic origin, religious beliefs, sexual orientation, or biometric identifiers through our website forms or analytics.

We will honor recognized opt-out preference signals, including the Global Privacy Control (GPC), when technologies subject to such opt-out rights are activated. Because we do not currently sell or share personal information for cross-context behavioral advertising, there is no opt-out preference signal workflow active on this site today.

To exercise these rights, write to privacy@interoperly.com. We respond within 45 days, with a possible 45-day extension as permitted under CPRA. Before fulfilling a request, we may need to verify your identity to a degree of certainty appropriate to the request type.

12. Children's Privacy

This site is not directed to children under 13 (or the equivalent minimum age in the relevant jurisdiction), and we do not knowingly collect personal information from children under that age. If you believe we have inadvertently collected information from a child, please contact privacy@interoperly.com so we can delete it.

13. How We Protect This Site

This website is protected by industry-standard transport and delivery controls, including:

• HTTPS-only delivery with HTTP Strict Transport Security.
• A strict Content Security Policy with no inline scripts or styles.
• Cross-Origin Opener Policy and Cross-Origin Resource Policy set to same-origin.
• X-Frame-Options set to DENY to prevent clickjacking embedding.
• A Permissions Policy that denies access to camera, microphone, geolocation, and other sensitive browser features.
• No PHI on this domain (per Section 4).

Our clinical platform, which is out of scope for this policy, is protected by separate HIPAA-governed controls.

14. Subprocessors and Data Processing Agreements

Where we transmit personal data to a vendor acting as a processor, we maintain a Data Processing Agreement governing that relationship. The Vendor Disclosure Table in Section 6 names the legal counterparty and DPA basis for each vendor.

For Neon, our managed Postgres provider, the DPA is in force by reference via the Neon Platform Services Product Specific Schedule executed April 25, 2026, which incorporates Neon-specific modifications to the Databricks Data Processing Addendum maintained at https://www.databricks.com/sites/default/files/legal/dpa-20230721.pdf.

For Vercel and GitHub, our hosting and source-control providers, we rely on each vendor's standard data-processing terms for the services in use.

For analytics and marketing vendors named in Section 6 as Planned, no data is flowing to them today. Each will be activated only after appropriate data-processing terms are in place and recorded in our vendor registry. The Vendor Disclosure Table will be updated and a notice posted on this page before any such activation.

15. Contact Us

For all privacy inquiries, including to exercise your rights under GDPR or CPRA, please write to privacy@interoperly.com. We aim to acknowledge requests within 5 business days and respond substantively within the timelines specified in Sections 10 and 11.

A business mailing address for written privacy requests will be added to this policy before activation of visitor analytics, tracking technologies, or contact-form data intake. Until then, privacy@interoperly.com is the sole method for privacy requests on this site.

Before fulfilling a substantive request, we may ask you to verify your identity through information already in our possession or through a verifiable email exchange.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" and "Effective date" lines at the top of this page. For material changes, including the activation of any new vendor that processes personal information, we will post an in-page notice at least 30 days before the change takes effect.