Privacy Policy
Last updated: July 15, 2026
Introduction
Prescience, Inc. d/b/a Prescience Administrative Services ("Prescience," "we," "us," or "our") provides technology and administrative services for employer-sponsored health benefits, care navigation, provider workflows, claims and payment operations, and related financial workflows.
This Privacy Policy explains how we collect, use, disclose, and protect information about employers, plan sponsors, members, patients, dependents, providers, brokers, consultants, partners, and website visitors. It does not apply to third-party websites or services that we do not control.
When we handle protected health information (PHI) for a covered entity or another business associate, HIPAA, the applicable Business Associate Agreement (BAA), and related agreements govern that PHI. If this policy conflicts with a BAA or a legally required Notice of Privacy Practices, the BAA or required notice controls for the PHI at issue.
Information we collect
We collect information that varies by your relationship with Prescience and the services used:
- Account and contact information - name, email, phone number, organization, role, login credentials, authentication events, support messages, and communication preferences.
- Employer and plan sponsor information - company profile, census and eligibility files, plan design, enrollment, payroll and contribution data, invoices, contracts, onboarding artifacts, implementation status, bank and funding records, and aggregate plan performance information.
- Member and patient information - profile details, demographics, dependents, benefit selections, permissions and consents, health records, claims, prescriptions, labs, visits, care-navigation chats, scheduling requests, payment information, HSA or card-related records, and support interactions.
- Protected health information (PHI) - information that identifies an individual and relates to health, healthcare, payment for healthcare, or health-plan coverage when subject to HIPAA.
- Provider information - provider and practice profile details, NPI, TIN, licensure, credentialing, specialties, locations, availability, pricing, direct-contract status, payment instructions, banking details, claims, remittance records, and communications.
- Financial and transaction information - payment instructions, invoices, remittances, bank account metadata, card transaction records, reimbursement records, funding balances, and audit logs processed with banking and payment partners.
- Technical and usage information - IP address, browser and device data, pages viewed, session events, cookies, analytics identifiers, logs, crash data, security telemetry, and interactions with emails or product features.
- De-identified or aggregated information - information that has been de-identified or aggregated so it no longer identifies an individual, where permitted by law and applicable agreements.
Sources of information
We may receive information from:
- You directly when you create an account, complete forms, upload data, sign permissions, chat with Crystal, request care, or contact support;
- Employers, plan sponsors, brokers, consultants, TPAs, PBMs, carriers, stop-loss partners, administrators, and other plan operations partners;
- Healthcare providers, provider networks, record networks, labs, pharmacies, telehealth partners, and claims or eligibility systems;
- Banking, card, payment, HSA, reimbursement, and financial technology partners;
- Public or commercial provider directories, NPI registries, business-contact databases, and similar sources; and
- Cookies, analytics, security tools, email tools, and device or browser technologies.
How we use information
We use information to:
- Provide, operate, secure, support, and improve the services;
- Administer eligibility, enrollment, plan operations, claims workflows, funding, invoices, payments, reimbursements, cards, and account records;
- Help members understand benefits, navigate care, compare care options, connect records, schedule care, and coordinate payment where available;
- Support providers with network participation, direct contracts, scheduling, claims, remittance, and payment workflows;
- Generate employer and plan reporting that is aggregate, de-identified, or otherwise permitted by applicable agreements and law;
- Communicate about accounts, services, support requests, onboarding, security, product updates, transactions, and legal notices;
- Detect, prevent, investigate, and respond to fraud, misuse, security incidents, unauthorized access, and technical issues;
- Comply with legal, contractual, tax, accounting, healthcare, privacy, and regulatory obligations;
- Develop analytics, benchmarking, forecasting, and product improvements using information as permitted by law and applicable agreements; and
- Create and use de-identified or aggregated information where permitted by HIPAA, BAAs, contracts, and applicable law.
Crystal and AI-assisted care navigation
Crystal and related AI-assisted tools may process member messages, care-navigation context, plan information, provider options, connected records, and other information needed to respond. Crystal is not a medical provider, does not diagnose or prescribe, and is not for emergencies.
We use AI-assisted tools to provide care navigation, summarize context, generate suggested next steps, and support operations. We do not use PHI for advertising or sale. We do not use PHI to train third-party foundation models unless permitted by HIPAA, the applicable BAA, individual authorization where required, and other applicable law.
Voice and chat transcripts may be stored as part of the member record where permitted by member permissions, plan operations, HIPAA, and applicable agreements. Emergency or safety-related interactions may be logged or escalated as needed to protect health and safety.
Connected Gmail data
If you choose to connect a Gmail account for insurance paperwork tracking, Prescience uses Google OAuth to confirm the connected email address and receives read-only access to Gmail. Prescience does not use this access to send email, delete or modify messages, change mailbox settings, or initiate payments.
We use Gmail access only to find recent insurance-related messages from carrier and provider-billing sender domains approved for your account. We process the sender, subject, received time, message text, and supported attachments, such as EOBs and provider statements, to classify insurance notices, extract billing details, match documents to visits, and route possible billing issues for authorized Prescience review. Messages that do not match these sender and insurance-signal restrictions are not retrieved by this workflow.
OAuth tokens are encrypted. Relevant message content and supported attachments may be retained in our encrypted PHI storage with the related insurance case and visit records for as long as reasonably necessary to provide the service and meet healthcare, legal, contractual, audit, and security obligations. Access is limited to authorized personnel and service providers who need it to operate, secure, support, or review the insurance-paperwork service, subject to applicable confidentiality, security, and HIPAA obligations.
We do not sell Google user data, use it for advertising, use it to determine creditworthiness or lending eligibility, or use it to train general-purpose AI models. Prescience's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
You can disconnect Gmail in your Prescience profile at any time. Disconnecting stops future mailbox monitoring, deletes locally stored OAuth tokens, and attempts to revoke the Google grant. You may also revoke access in your Google Account. To request deletion of retained Google user data, contact privacy@getprescience.com. Some records may be retained where required by law or applicable healthcare and contractual obligations.
How we share information
We do not sell personal information or PHI. We may disclose information to the following categories of recipients when permitted by law and applicable agreements:
- Employers and plan sponsors - aggregate, de-identified, eligibility, financial, operational, and plan-administration information. The employer portal is designed not to show individual clinical records, individual claims, or individual care-navigation content to employers.
- Employer-sponsored health plans and covered entities - information needed for treatment, payment, healthcare operations, plan administration, eligibility, oversight, audits, and legal compliance, as permitted by HIPAA and plan documents.
- Members, patients, and authorized representatives - information about their own account, benefits, care-navigation history, permissions, records, payments, and available services.
- Healthcare providers, provider groups, and networks - information needed to coordinate care, schedule visits, verify eligibility, process claims, support payment, and respond to member requests.
- Brokers, consultants, TPAs, PBMs, carriers, stop-loss partners, and administrators - information needed for plan design, implementation, administration, claims, pharmacy benefits, risk protection, funding, reporting, and support.
- Banking, card, payment, HSA, and financial partners - information needed to process payments, reimbursements, funding, cards, transfers, invoices, and related records.
- Service providers and subprocessors - vendors that support hosting, security, analytics, AI infrastructure, communications, support, email, document processing, data storage, and operations under confidentiality, security, and where applicable, HIPAA-compliant obligations.
- Professional advisors - lawyers, auditors, accountants, insurers, and compliance advisors.
- Legal, regulatory, and safety recipients - when required by law, subpoena, legal process, regulator request, public health obligation, or to protect rights, safety, security, and integrity.
- Business transfer recipients - in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate safeguards and applicable law.
Where shared information is PHI, we share it only as permitted or required by the applicable BAA, HIPAA, individual authorization where required, and other applicable law.
Employer privacy boundary
Prescience is designed to separate employer business information from member health information. Employers may see plan-level, eligibility, financial, aggregate, de-identified, or operational reporting, but not individual clinical records, individual claims, or individual Crystal conversations through the employer portal.
Employers may not use Prescience reports to identify a member from aggregate data, discriminate, make employment decisions based on health information, or use member information for non-plan purposes.
Analytics, marketing, and email technologies
We use third-party technologies to operate our website, understand visitor activity, support sales and customer success, and communicate with prospective and current customers.
- Sales intelligence and visitor identification - tools such as Apollo may help identify business visitors to our website and enrich business-contact information for sales and marketing. This may involve cookies, IP address, browser data, and matching against business databases.
- Transactional email and automation - tools such as Resend help us send account, support, transactional, onboarding, and marketing emails and process delivery, open, click, and unsubscribe information.
- Product analytics and session diagnostics - tools may help us understand feature usage, errors, performance, and user experience. We configure product analytics to minimize PHI where reasonably practicable.
We do not use PHI for advertising. You may opt out of marketing emails through unsubscribe links or by contacting privacy@getprescience.com. You may manage cookies through your browser settings.
Text messaging and mobile information
Prescience uses text messages for account security and, when a member separately opts in, transactional care coordination, appointment, benefits, billing, account, and support notifications. We do not use the member SMS program for marketing. Optional SMS consent is not a condition of receiving care, plan benefits, or purchasing any service.
Message frequency varies and message and data rates may apply. A member may reply STOP to end optional notification texts, START to resubscribe, or HELP for assistance. Members may also withdraw optional SMS consent through their Prescience permissions or by emailing support@getprescience.com. Verification codes requested during sign-in are account-security messages separate from the optional notification program. Carrier-level blocking may prevent those codes until the member replies START or contacts support.
We use Pinnacle as a communications service provider to deliver and receive text messages and process delivery and keyword events. We may provide Pinnacle with the destination mobile number, sender number, message content, consent and suppression status, and delivery metadata needed to operate and secure the service. Mobile opt-in information and consent are not sold or shared with third parties for their promotional or marketing purposes.
Text messages are not guaranteed to be encrypted. Prescience notification texts avoid detailed medical, care, and claims information and direct members to sign in to the secure portal for sensitive details. The complete program disclosure and keyword instructions are available at getprescience.com/sms.
Data retention and security
We retain information for as long as reasonably necessary to provide services, maintain records, comply with legal and contractual obligations, resolve disputes, enforce agreements, support audits, and protect security. Retention periods vary based on the type of information, relationship, service, law, and agreement.
We maintain administrative, technical, and physical safeguards designed to protect information, including access controls, encryption in transit, security monitoring, audit logging, workforce training, vendor oversight, incident response processes, and least-privilege access. No method of transmission or storage is completely secure.
Security controls aligned with SOC 2
Prescience operates a security and compliance program informed by the SOC 2 Trust Services Criteria. Our controls cover security, availability, confidentiality, vendor oversight, access management, change management, incident response, and ongoing monitoring.
Alignment with the SOC 2 framework does not mean we have completed a SOC 2 Type I or Type II examination or received an independent attestation. We do not claim certification or audit status unless we expressly state otherwise in writing.
HIPAA and PHI
Prescience is committed to protecting PHI in accordance with HIPAA, the HITECH Act, applicable state laws, and applicable BAAs. Depending on the service, Prescience may act as a business associate to a covered entity, such as an employer-sponsored health plan, or as a subcontractor to another business associate.
We use and disclose PHI only as permitted or required by applicable BAAs and law, including to provide services, support treatment, payment, and healthcare operations, manage and administer our business, fulfill legal obligations, respond to authorized requests, and create de-identified information where permitted.
We maintain HIPAA-oriented safeguards, including risk management, workforce training, access controls, authentication, audit logging, encryption in transit, vendor management, incident response, and secure disposal practices.
HIPAA individual rights
HIPAA gives individuals rights with respect to PHI held by covered entities, including rights to access, request amendment, request restrictions, request confidential communications, receive an accounting of certain disclosures, and receive a paper copy of a Notice of Privacy Practices where applicable.
Requests about PHI should generally be directed to the applicable covered entity, such as the employer-sponsored health plan or healthcare provider. Prescience will assist covered entities and business associates with these requests as required by our BAAs and applicable law.
Breach notification
If we discover a breach of unsecured PHI or another reportable security incident, we will notify affected customers and cooperate in investigation, mitigation, and legally required notifications in accordance with HIPAA, applicable state law, other applicable law, and our written agreements.
California and other privacy rights
Depending on your location and relationship with us, you may have rights to know, access, correct, delete, port, restrict, or object to certain processing of personal information. California residents may have rights under the CCPA/CPRA, including rights to know, delete, correct, opt out of sale or sharing, limit certain uses of sensitive personal information, and not be discriminated against for exercising rights.
We do not sell personal information or PHI. If any activity is considered a "sale" or "sharing" under applicable privacy law, we will provide legally required notice and opt-out mechanisms.
To exercise privacy rights, contact privacy@getprescience.com. We may need to verify your identity and may direct requests about employer-controlled, health-plan-controlled, provider-controlled, or HIPAA-regulated information to the appropriate entity.
Children and dependents
Our public website is not directed to children under 13, and we do not knowingly collect personal information directly from children through the public website.
In benefits and care-navigation services, we may process information about dependents, including minors, when provided by a parent, guardian, employer, health plan, provider, or authorized partner. We process that information under applicable permissions, plan operations, HIPAA, BAAs, and law.
International users
Prescience services are designed primarily for use in the United States. If you access the services from outside the United States, your information may be processed in the United States and other jurisdictions where our service providers operate.
Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised policy on this page with an updated "Last updated" date. Material changes may also be communicated through email, the platform, or other reasonable notice.
Contact us
Questions about this Privacy Policy or privacy rights may be directed to privacy@getprescience.com. Legal notices may be sent to legal@getprescience.com.