Alfred

Legal

Privacy Policy

Last updated: May 1, 2026

This Privacy Policy explains how CorePlus World Group LLC (“Alfred”, “we”, “us”) collects, uses, shares, and protects information when you use our website, dashboard, APIs, and related services (the “Service”). By using the Service, you agree to the practices described here.

1. Roles

  • Customer data. When you operate a clinic on Alfred, you are the controller of your patient data and we are the processor. Our handling of patient data is governed by our Data Processing Addendum (DPA) and, where applicable, our Business Associate Agreement (BAA).
  • Account data. For your own account information (your name, email, billing details), we are the controller and this Privacy Policy applies.

2. Information we collect

  • Account information you provide on signup (name, email, clinic name, role, password hash).
  • Billing information handled by Stripe; we receive only the last four digits, brand, and expiration of payment methods.
  • Customer data you upload or sync (patient contacts, appointments, message history). When this includes PHI, it is governed by the BAA.
  • Usage data: pages viewed, features clicked, journey activations, AI request counts.
  • Device and log data: IP address, browser type, OS, referrer, timestamps. Used for security, debugging, and abuse prevention.
  • Cookies and similar technologies as described in § 7 below.

3. How we use information

  • Provide, maintain, and improve the Service.
  • Authenticate users and enforce access controls.
  • Send transactional messages (account, billing, security, service updates).
  • Detect, investigate, and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations and respond to lawful requests.
  • Aggregate and de-identify data to produce benchmarks and product analytics. De-identified data does not include PHI.

We do not sell personal information. We do not use your customer data or PHI to train AI models.

4. How we share information

  • Subprocessors. We share data with the subprocessors listed on our HIPAA page (Supabase, Vercel, Twilio, Resend, Anthropic, Sentry, Stripe). Each is bound by contract to use data only as we direct.
  • At your direction. We share data with third-party integrations you connect (e.g., your EHR webhook, your booking provider).
  • Legal compliance. We may disclose information when required by law, subpoena, or to protect rights, safety, and property.
  • Business transfers. If we are involved in a merger, acquisition, or sale of assets, your information may be transferred subject to this Policy.

5. Retention

We retain account and customer data for the duration of your subscription plus a 90-day grace period for export. After that, we delete or de-identify it within 30 days, except where law requires longer retention. Audit logs of PHI access are retained for 6 years per HIPAA.

6. Security

We use industry-standard administrative, physical, and technical safeguards including TLS 1.2+ in transit, AES-256 at rest, role-based access, MFA, and encrypted backups. No system is perfectly secure; we cannot guarantee absolute security but commit to prompt notification in the event of a breach.

7. Cookies

We use first-party cookies for authentication and session management, and limited analytics cookies (PostHog) to understand product usage. We do not use third-party advertising cookies. You can clear cookies in your browser at any time; doing so will sign you out.

8. Your rights

Depending on your location, you may have the following rights:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your information, subject to legal retention obligations.
  • Port your data in a structured, machine-readable format.
  • Object to or restrict certain processing.
  • Withdraw consent where processing relies on consent.

California residents (CCPA/CPRA) have additional rights including the right to know, the right to delete, the right to correct, and the right to limit use of sensitive personal information. We do not sell or share personal information for cross-context behavioral advertising.

EU/UK residents (GDPR/UK GDPR) may lodge a complaint with their supervisory authority. Our lawful bases for processing are contract performance, legitimate interests, and where applicable, consent.

To exercise any right, email hello@alfred-intelligence.com. We respond within 30 days.

9. International transfers

We process data in the United States. Where data is transferred from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses and equivalent mechanisms.

10. Children

The Service is intended for clinic operators (18+). We do not knowingly collect personal information from children under 13. Pediatric patient data uploaded by a clinic is treated as PHI under our BAA, not as data we collect directly from a child.

11. Changes to this policy

We may update this Policy from time to time. Material changes will be announced in the dashboard and by email at least 14 days before they take effect.

12. Contact

CorePlus World Group LLC
Email: hello@alfred-intelligence.com