Privacy Policy

Last Updated: June 22, 2026

1. Scope

This Privacy Policy explains how Calysta Pro EMR (“Calysta,” “we,” “our,” “us”) collects, uses, discloses, and safeguards personal information and Protected Health Information (“PHI”) in connection with our services.

2. HIPAA and Business Associate Position

Where Calysta provides services to Covered Entities or Business Associates under HIPAA, Calysta functions as a Business Associate and processes PHI in accordance with applicable law and contractual obligations, including executed Business Associate Agreements (“BAAs”).

3. Information Collected

We may process:

  • Account and identity data (name, email, phone, role, facility)
  • Patient and clinical workflow data entered by authorized users
  • Appointment and scheduling data
  • Billing/payment transaction metadata
  • Integration credentials/tokens required for enabled features
  • Device, access, and security logs

4. Purposes of Processing

We process data to:

  • Provide EMR, scheduling, communication, and billing functions
  • Authenticate users and enforce role-based access
  • Support authorized integrations
  • Maintain security, availability, and performance
  • Comply with legal, regulatory, and contractual obligations

5. Google Calendar Sync Policy

If enabled by user action:

  • OAuth authorization is obtained with user consent
  • Tokens are stored to maintain calendar synchronization
  • Data use is limited to scheduling synchronization and operational support
  • Users may disconnect at any time; future sync ceases after revocation
  • We do not use calendar access for advertising purposes

6. Payment Card / Card Capture Policy (Authorize workflows)

For card capture and recurring payment enablement:

  • Calysta does not store full PAN or CVV in EMR application records
  • Payment card handling is performed through secure processor flows and tokenized references
  • Calysta stores only processor references/tokens and transaction data needed for billing operations, reconciliation, and audit trails
  • Access to billing functions is permission-controlled and logged

7. Security Safeguards

Calysta maintains safeguards aligned with HIPAA Security Rule expectations, including:

  • Access control and least-privilege authorization
  • Authentication controls and API access restrictions
  • Encryption in transit and appropriate storage protections
  • Logging, monitoring, and incident response processes
  • Workforce confidentiality and access governance

8. Security Incidents and Breach Notification

Calysta maintains procedures to detect, investigate, mitigate, and document security incidents involving personal information or PHI. Where Calysta acts as a Business Associate and determines that a breach of unsecured PHI has occurred (as defined under HIPAA), Calysta will notify the applicable Covered Entity or customer without unreasonable delay and in accordance with applicable law and the parties’ Business Associate Agreement, including notification within required timeframes.

Notifications will include, to the extent known: a description of the incident, the types of information involved, steps Calysta is taking to investigate and mitigate harm, and contact information for follow-up. Calysta will cooperate with the Covered Entity in meeting any obligations to notify affected individuals, regulators, or others as required by law.

Customers should report suspected security incidents affecting Calysta services through official Calysta support/security channels.

9. Use and Disclosure

We do not sell personal data or PHI.

We disclose data only as necessary to:

  • Provide requested services
  • Work with authorized subprocessors/service providers
  • Meet legal obligations
  • Protect rights, safety, and platform security

10. Subprocessors

Sub Processors are used for core operations (e.g., communications, storage, scheduling, payments). Appropriate contractual and security controls are required.

11. Data Retention

Data is retained according to operational necessity, legal/regulatory requirements, and audit/security obligations, then securely deleted or de-identified as permitted by law and contract.

12. Individual and Customer Rights

Subject to applicable law and customer relationship terms, requests may include access, correction, restriction, or deletion. HIPAA rights are managed through the applicable Covered Entity where required.

13. International/State Law

Where applicable, Calysta supports customer compliance with U.S. federal and state privacy obligations, including HIPAA and applicable state privacy/security laws.

14. Policy Updates

We may update this policy periodically. Material changes will be posted with a revised effective date.

15. Contact

For privacy, HIPAA, or security matters, contact Calysta through official support channels.

16. Card Capture Page Privacy Notice (for payment page)

By submitting payment details on this page:

  • Your card data is processed through secure payment processor workflows.
  • Calysta does not store full card number or CVV in EMR application records.
  • Calysta stores only payment token/reference and transaction metadata needed for billing, reconciliation, and audit.
  • This page is used only for authorized billing/payment setup.
  • Access to payment data is restricted based on role and operational need.
  • If you have questions about payment data privacy, contact support through official Calysta channels.